I am having some issues with the PHP Crypt Function, which hopefully someone can help me out with.

I am designing a website for a sports club as a school project, and they don't want to pay for hosting that has a database. I therefore am having to make use of a Flat File DB which shall hold only a couple of passwords and the content created with the use of the CMS I am writing for them.

I currently have the following for my Login system:

<?php

    session_start();

    ini_set('display_errors', 1);

    $Username = $_POST['Username'];
    $Password = $_POST['Password'];

    $CurPassword = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/DB/Hash');

    if(crypt($Password, $CurPassword) == $CurPassword){
        echo("MATCH");          
    }

    else{   
        echo("NO MATCH");   
    }

?>
  1. The login system always returns "No Match", the Hash in the file is copied exactly with the use of the Crypt Function and therefore I don't understand what is going wrong. If I use $CurPassword = crypt($Password); instead it seems to work.

  2. I have only ever used a MySQL database, which I know is vulnerable to injection. Is a Flat File database like this still vulnerable, and how can I protect against it? At the moment, the only real security I have on the file is an HTAccess restriction and restricted file permissions.

  3. In the past, I've been using a mix of Hashes and random salts to create a hash string. This is the first time I've used the crypt function, which one is better for password security, the Hash Function or the Crypt Function?

Thank you

Hey,

Probably a silly question.. Have you tried echoing the $Username and $Password and $Curpassword to see if they contain the expected values?

Probably a silly question.. Have you tried echoing the $Username and $Password to see if they contain the expected values?

Hello phorce, thanks for the reply.

Yes, they do echo out correctly but even if I write the password directly to the variable ($Password = "***") it still fails to match.

Doing a strlen check, the File_Get_Contents string is 1 character longer than copying in the hash and running an strlen check.

Does the File_Get_Contents add any whitespace? Echoing them both out they look symmetrical, and Preg Replacing whitespace doesn't do anything to help the situation.

IMO I wouldn't crypt the password, more, hash them but it's up to you. I don't get why you're encrypting it, since hashing it to some extent should provide a safer solution.

L database, which I know is vulnerable to injection. Is a Flat File database like this still vulnerable, and how can I protect against it? At the moment, the only real security I have on the file is an HTAccess restriction and restricted file permissions.

Ideally you should be using PDO or mysqli (PDO should provide you with a safer option). I'm guessing this password is somehow stored inside a text-file? How many passwords are there going to be? If you assume there are going to be a lot of passwords, are you going to have multiple text files? If so.. This is not a safe route to go down.

P.S. Crypt isn't two way encription, which is very misleading. Which is probably why you're running into such problems.

Hope this helps you

Yeah, I think I will go back to my previous methods of hashing passwords and salting them with openssl_random_pseudo_bytes().
As I say, this is the first time I've tried out the crypt() function.

In terms of storing passwords, it is only going to be a single password used to access the CMS. I would preferably use MySQLi and prepared statements however since they don't want to use a dedicated database I don't see much of a way around it.

Thank you

Hey, I think (And I maybe wrong, so anyone please do correct me i've been out of PHP doing C++ for a while) but your problem seems to be that you're trying to compare a string that has already been encrpyted against another.. E.g.

<?php

    session_start();

    ini_set('display_errors', 1);

    $Username = $_POST['Username'];
    //$Password = $_POST['Password'];
    $Password = "abc123";
    $CurPassword = crypt("abc123");
   // $CurPassword = file_get_contents($_SERVER['DOCUMENT_ROOT'].'/DB/Hash');

    if(crypt($Password, $CurPassword) == $CurPassword){
        echo("MATCH");          
    }

    else{   
        echo("NO MATCH");   
    }

?>

This works, mainly because I am encrpyting plain-text ("abc123") and therefore not comparing against actual encrpyted (Not two way!) Anyway, I hope you resolve the issue and someone else may be able to throw something to this :)

Thanks for all your help.

I might try and persuade them to just use a MySQLi DB (for the extra couple of pounds/dollars it will be in terms of hosting) or write an "Offline" CMS system so all they need to do is upload the new files to the server.

You don't really need a SQL server to use a SQL database in modern PHP code.

The PDO extension and its SQLite driver are both enabled by default in PHP 5.1 and higher. You could use that in much the same way you would use PDO with MySQL, with only a minor differences. SQLite is a file based system that requires no servers to function, kind of like an advanced flat-file database accessible through standard SQL statements.

If your host doesn't support any actual database servers, this is the option I would suggest before trying any kind of manual flat-file databases.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.