How to login in php with crypt

Question

This is the "Registration Successful" page:

         <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Registration Successful</title>
</head>

<body>

<p>
  <?php
// Make a MySQL Connection
mysql_connect("localhost", "userid", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$name=$_POST['name'];
$age=$_POST['age'];

// These only work for CRYPT_SHA512, but it should give you an idea of how crypt() works.
$Salt = uniqid(); // Could use the second parameter to give it more entropy.
$Algo = '6'; // This is CRYPT_SHA512 as shown on http://php.net/crypt
$Rounds = '10000'; // The more, the more secure it is!

// This is the "salt" string we give to crypt().
$CryptSalt = '$' . $Algo . '$rounds=' . $Rounds . '$' . $Salt;

$hashed_password = crypt($_POST['password'], $CryptSalt);

// Insert a row of information into the table "example"
mysql_query("INSERT INTO example 
(name, age, password) VALUES('$name', '$age', '$hashed_password' ) ") 
or die(mysql_error()); 

echo "Data Inserted!";

?>
</p>
<p><a href="login.php">Click here to Login!</a></p>
</body>
</html>

And this is Login Check Page:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login Check</title>
</head>

<body>
<p>
  <?php
// Make a MySQL Connection
mysql_connect("localhost", "userid", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$name=$_POST['name'];

// These only work for CRYPT_SHA512, but it should give you an idea of how crypt() works.
$Salt = uniqid(); // Could use the second parameter to give it more entropy.
$Algo = '6'; // This is CRYPT_SHA512 as shown on http://php.net/crypt
$Rounds = '10000'; // The more, the more secure it is!
// This is the "salt" string we give to crypt().
$CryptSalt = '$' . $Algo . '$rounds=' . $Rounds . '$' . $Salt;
$hashed_password = crypt($_POST['password1'], $CryptString);

$result = mysql_query("SELECT * FROM example WHERE name = '$name'");
$row = mysql_fetch_array($result);


if($row["name"]==$name && crypt($row["password"], $hashed_password) == $hashed_password){
    echo"Hello $name !!!";
}
else{
    echo"Sorry, your credentials are not valid, Please try again.";
}

?>
</p>
</body>
</html>

The problem is that I am getting the following result when I try to log in with the same name and password which I used while signing up:

Sorry, your credentials are not valid, Please try again.

Can anybody tell what the problem is? My question might be a silly one but I am an entry level programmer and I really need help.

Thanks a lot in advance.

HERE IS THE REVISED CODE WHERE I SAVED THE SALT AT SIGN UP AND RETRIEVED AT LOGIN:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login Check</title>
</head>

<body>
<p>
  <?php
// Make a MySQL Connection
mysql_connect("localhost", "userid", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$name=$_POST['name'];

// These only work for CRYPT_SHA512, but it should give you an idea of how crypt() works.
//$Salt = uniqid(); // Could use the second parameter to give it more entropy.
//$Algo = '6'; // This is CRYPT_SHA512 as shown on http://php.net/crypt
//$Rounds = '10000'; // The more, the more secure it is!
// This is the "salt" string we give to crypt().
//$CryptSalt = '$' . $Algo . '$rounds=' . $Rounds . '$' . $Salt;

$result = mysql_query("SELECT * FROM example WHERE name = '$name'");
$row = mysql_fetch_array($result);
$CryptSalt = $row["salt"];
$hashed_password = crypt($_POST['password1'], $CryptSalt);

if($row["name"]==$name && crypt($row["password"], $hashed_password) == $hashed_password){
    echo"Hello $name !!!";
}
else{
    echo"Sorry, your credentials are not valid, Please try again.";
}

?>
</p>
</body>
</html>

Your salt is changing between the two pages as uniqid will return a different answer on each page. As you are crypting with a different salt each time, they will not match. I suggest looking at the crypt examples on the [crypt manpage](http://php.net/manual/en/function.crypt.php) As you seem to be vastly over complicating it — Anigel, Jun 26 '13 at 12:24
Ohh! I see. So what to do now??? How to get the same uniqid which was used while signing up?? Or do you have a better solution?? — PHP Developer, Jun 26 '13 at 12:28
Or I should save the uniqid in a new column in the database at the time of signup and then retrieve it and multiply it at the time of login??? — PHP Developer, Jun 26 '13 at 12:30
you can save the salt along with the hash separated by `':'` then you will have access to it. — DevZer0, Jun 26 '13 at 12:31
DevZer0 I really have no idea how to do that. Can you please help me with some code here??? — PHP Developer, Jun 26 '13 at 12:33
http://stackoverflow.com/questions/10890244/validating-passwords-with-random-salts — Anigel, Jun 26 '13 at 12:44
I saved the salt and retrieved it at login and multiplied it generating the same password at the time of signup, but still no use. It is giving me the same error. Please help!!! — PHP Developer, Jun 26 '13 at 13:08
@Anigel I have added it at the end of my original question. Please have a look. — PHP Developer, Jun 26 '13 at 13:16
Try this if($row["name"]==$name && $row["password"] == $hashed_password){ If you are storing a crypted password in the database then you dont need to recrypt it when you read it as it is already crypted. You just crypt the supplied password with the same salt as before and see if it matches what is stored in the database without making any further processing on the information from the database. — Anigel, Jun 26 '13 at 13:25
@Anigel You sounds perfectly logical but bad news! It is STILL not working... Giving same message of "Sorry, your credentials are not valid, Please try again." :( — PHP Developer, Jun 26 '13 at 13:32
Can you set up a [phpfiddle](http://phpfiddle.org/) so we can look at it further — Anigel, Jun 26 '13 at 13:37
A quick look at the code you are using produces a hashed sting like this Hash = $6$rounds=10000$51caef7faadb7$KbtGmyfhT4tS5aVvpkN9h4bTKTM9H4wZuVlA/8MigeMyspBMQ0XievPewFMOxihko9sq3lVb3HUbiRk4Pptkp1 I doubt that is what you require. I still suggest going back to the drawing board and look at the crypt examples on the php manpage like I suggested previously — Anigel, Jun 26 '13 at 13:42
@Anigel this is what I am doing. I retrieved the actual Crypt code and then again crypted it with the provided password. Now, the way it should work should provide the same password which is there in the actual password field of the database. And I am matching that with the crypted password, which SHOULD make both the same. But still it is not helpful. Anyways, I have settled up phpfiddle on your request. Please have a look at that. — PHP Developer, Jun 26 '13 at 13:45
@Anigel! I did that even before you suggested, just to make sure that the crypt code is getting up to the last stage perfectly and it IS getting up till there perfectly. But still not matching the passwords... — PHP Developer, Jun 26 '13 at 13:46
@Anigel !! Job done!!! :) The problem was that the character count limit in my database for hashed password was set to "20" only! I increased it and now it's working PERFECTLY!!! :) Thank you SOOOOOOOOO Much !!!! :) — PHP Developer, Jun 26 '13 at 14:02

score 0 · Answer 1 · answered Jun 26 '13 at 12:42

When logging in you should query hashed password from database and use explode to get salt from there since it is part of the hashed password. Alternatively you can save the salt in different field and retrieve it from there or hardcode to use same salt for every password.

score 0 · Answer 2 · answered Jun 26 '13 at 20:09

Use

if($row["name"]==$name and crypt($_POST['password1'], $row["password"]) == $row['password']) {
    ...

You don't need to save the salt in a special column as it is already included in the output of crypt e.g. crypt('secret', '$6$mysalt$') gives "$6$mysalt$UX6P1V...". It's a feature of crypt() that you can pass the old hash as $salt parameter to let it use the same salt.

How to login in php with crypt

2 Answers2