[nycphp-talk] crypt() issue
Mikko Rantalainen
mikko.rantalainen at peda.net
Tue Dec 20 03:17:02 EST 2005
Max Gribov wrote:
> I have users sign up, and then add their password into database after
> running
> $passwd = crypt($post['passwd1']);
> $user->create($post['username'], $passwd, $post['email']);
Do you check for errors in User::create()? Have you checked that DB
entry really contains what you're expecting?
> The user class handles the creation fine, there is a crypt'ed entry in
> the password field in the DB.
> Then, I am trying to authenticate a user on login like so:
>
> In index.php:
> $user->login($post[username], $post[password],
> $_SERVER[HTTP_USER_AGENT], 'user');
>
> In classes file for User class:
> public function login($username, $password, $user_agent, $realm) {
> $this->username = $username;
> $this->password = $password;
> $sql = "select password from users where username='$this->username'
> and admin='f'";
What's the meaning of "admin='f'"?
> $db_res = $this->db->Execute($sql);
Did you check for errors here?
> if (crypt($this->password, $db_res->fields['password']) !=
> $db_res->fields['password']) {
> $this->error = "Invalid username/password ";
> return false;
> } else {
> // set session vars, redirect, etc
> }
> }
>
> $post is the processed array of $_POST but its not being modified when
> processed, only checked for invalid input and the program will die() if
> it doesnt comply.
>
> So basically,
> crypt($post['passwd1'])
> during signup creates one value, but
>
> crypt($this->password, $db_res->fields['password'])
> during authentication returns a different, although always the same, value.
My guess is that $db_res->fields['password'] doesn't contain the
result of the original crypt() call with random salt.
--
Mikko
More information about the talk
mailing list