Sascha, Can you please check this out? It should probably be fixed for 4.0.6. Andi >Delivered-To: [EMAIL PROTECTED] >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >list-post: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Date: Thu, 17 May 2001 16:48:36 +0100 >From: Chris Walker <[EMAIL PROTECTED]> >X-Mailer: The Bat! (v1.51) Personal >Reply-To: Chris Walker <[EMAIL PROTECTED]> >Organization: Gameshrine >To: [EMAIL PROTECTED] >Subject: [PHP-DEV] mcrypt failure under PHP 4.0.5 -> more info. > >Hi fellow developers, > >RE: mcrypt functionality failure since PHP 4.0.5 upgrade. > >This is a snippet taken from the class that handles the addition of >new users into the users table. It shows the way we *were >successfully* using mcrypt to encrypt user's passwords: > >//--- Begin code paste. > > $password_key = md5($username); > > // Actual passwords are randomly generated. > // User may change later. > > srand((double)microtime()*1000000); > $password = substr(md5(rand(0,9999999)),0,8); > > // Encrypt password using md5 string above. > > $td = mcrypt_module_open (MCRYPT_TripleDES, "", MCRYPT_MODE_ECB, ""); > $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); > mcrypt_generic_init ($td, $password_key, $iv); > $encrypted_password = mcrypt_generic ($td,$password); > mcrypt_generic_end ($td); > > // Do database insert using $encrypted_password value. > >//--- End code paste. > >The rest is irrelevant. Up until the upgrade to PHP 4.0.5, the above >method worked without any issue, each time returning properly >encrypted passwords which were then stored in the database. > >At the moment passwords are now being stored unencrypted but since its >currently on an internal development server the security implications >are negligible, BUT I would appreciate any feedback, similar >encounters, etc from the development community since this clearly >needs fixing. > >Many thanks, > >Chris. > > > >-- >PHP Development Mailing List <http://www.php.net/> >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
