[PHP-DOC] #38986 [Opn->Bgs]: Wrong example 1 -> Hash values of Password

Thu, 05 Oct 2006 04:13:53 -0700 

 ID:          38986
 Updated by:  [EMAIL PROTECTED]
 Reported By: charlie28u798r at web dot de
-Status:      Open
+Status:      Bogus
 Bug Type:    Documentation problem
 PHP Version: Irrelevant
 New Comment:

Because the salt is random, the resulting hash will be random.
To test this hash against an user input, you'll use $hash as the salt:
if(crypt($input, $hash) == $hash)

The hash can always be used as the salt:
crypt($p, crypt($p, $salt)) == crypt($p, $salt) // true

Example1 looks perfectly clear to me.
Example2 is correct, apache handles crypt()'ed passwords.


Previous Comments:
------------------------------------------------------------------------

[2006-09-28 20:49:31] charlie28u798r at web dot de

Description:
------------
There are 2 examples given in the documentation of crypt(), which cant
work the way their shown.

Example 2 will, as read in the documentation, give a different hash
values each time its called. But it looks like its supposed to give the
same hash for same passwords so a user given password can be compared
with the one saved in a databank (or the on in htpasswd).

<?php
// Set the password
$password = 'mypassword';

// Get the hash, letting the salt be automatically generated
$hash = crypt($password);
?>

Reproduce code:
---------------
On the other hand example 1 is not clear. This wont work either, unless
$user_input is given and it won't really state what it should do. From
the code i would state it should be used to compare passwords, but like
i said its not clear.

<?php
$password = crypt('mypassword'); // let the salt be automatically
generated

/* You should pass the entire results of crypt() as the salt for
comparing a
   password, to avoid problems when different hashing algorithms are
used. (As
   it says above, standard DES-based password hashing uses a
2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
   echo "Password verified!";
}
else echo "Wrong Password";
?> 

Expected result:
----------------
Password verified

Actual result:
--------------
Wrong Password


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=38986&edit=1

Reply via email to