Hi folks,

I am taking a course in PHP and MYSQL. I’M A NEWBIE. I have an assignment that I’m working on that should be simple.

I have constructed the following(see below) based on class information I was suppose to use. I could choose my own password, my hash format(Blowfish) and salt length.

I randomly generated a salt of 22 characters, concatenated the hash format and salt, then applied the crypt function to the password and the concatenated hash and salt.

What I expected from my crypt function was to see the hash format followed by 22 characters of the randomly generated salt, followed by the encrypted password. For some reason one character at the end of the salt is being removed and I don’t know why. Any thoughts?

Here is my code:

<?php $password = "secret2"; $hash_format = "$2y$10$"; // Tells PHP to use Blowfish with a "cost" of 10 $salt_length = 22; // Blowfish salts should be 22-characters or more $unique_random_string = md5(uniqid(mt_rand(), true)); // Valid characters for a salt are [a-zA-Z0-9./] echo $unique_random_string; echo "

"; $base64_string = base64_encode($unique_random_string); // But not '+' which is valid in base64 encoding echo $base64_string; echo "

"; $modified_base64_string = str_replace('+', '.', $base64_string); echo $modified_base64_string; echo "

"; // Truncate string to the correct length $salt = substr($modified_base64_string, 0, $salt_length); echo "random generated salt, " . $salt . " , with string length of " . strlen($salt) . " characters."; echo "
"; $hash_format_and_salt = $hash_format . $salt; echo "
"; echo "hash format and random salt concatenated: " . $hash_format_and_salt; $hash = crypt($password,$hash_format_and_salt); echo "

"; echo "hash generated with crypt, password and salt : " . $hash; echo "

"; echo "Notice the hash format followed by the salt which is missing its last character followed by the encrypted password. Why is the last letter of the salt missing from the hash?"; ?>

Thanks for your time and patience,
Greg

No, no, no, dont even go there.

Get up to current coding standards and use password_hash and password_verify

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/function.password-verify.php

I kind of expected this answer.

Sorry but this is my assignment and this is what is expected.

Greg

Just learned that the course will be talking about password_hash which is in PHP v5.5, i.e. the features you told me to go learn. I guess the above was a lesson in how password encryption occurred in the past. Still wondering why I am having the issue though. It bothers me. Any thoughts?

Greg

You will spend a lifetime learning how things “used to work”. It really just doesn’t matter. I would ask your professor why you were sent in that direction. It is really a waste of your valuable school time. Hopefully they wont be using the obsolete Mysql_* functions.

No, using mysqli.

I think the point is that changes are coming so rapidly that be prepared to change code? Or when he first developed the course 5.5 wasn’t out yet.

Greg

Are there no discussions going on? Sounds like they are just handing you stuff to do. I would say you hit it on the second idea. The teach is just grabbing what he had. Do your class and all future classes a favor and talk to him about how important it is that he stays current. He is wasting everyone’s time teaching outdated methods.

The reason that you're seeing problems is that it doesn't actually use 22 characters of salt. It only uses 21.25 characters. So a few bits of the 22nd character are used for salt, and the remaining are used for hash (the result).

The reason is that the salt isn’t a string. It’s a 128 bit number. The number is serialized into base64. To review how base 64 works, every 3 byte block is “translated” into a 4 byte block…

So are you saying msqli is not the direction to go? And are you saying this forum is not for people using mysqli?

The entire class is based on Procedural PHP with mysqli.

Thanks for your time and patience,
Greg

I’m confident Rubio was talking about the reimplementation of the password hashing. I’d at least hand in a few reasons as to why doing so is a terrible idea - along with whatever I could get together.

The PDO/Mysqli discussion is quite a big one, there are pros and cons for each. Many (myself included) seem to favor PDO. It’s also what Symfony/Doctrine2 ORM uses, for whatever that’s worth. PDO only provides an object oriented approach though - which makes it a bad fit for your class. Having worked with quite a few companies over the last years I’ve yet to see anyone staying procedural though - they’ve all been on some level of OOP.

Thanks so much for your insights.

Since I am not a programmer and only learning php and mysql. I suppose it may be time to consider PDO but it seems so much different and I’m having a hard time wrapping my head around it. I do have a degree in mathematics so I have some level of abstract ability. Maybe there is another language I need to learn that may help me better grasp the PDO approach. Suggestions?

Thanks,
Greg

Study this https://phpdelusions.net/pdo

I’d suggest just starting an empty “todo app” project and going for it using the tutorial Rubio linked to linky. PDO isn’t that hard to grasp, many even say it’s the simpler version of the two.

[php]$dsn = ‘mysql:dbname=testdb;host=127.0.0.1’;
$user = ‘dbuser’;
$password = ‘dbpass’;
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_OBJ,
PDO::ATTR_EMULATE_PREPARES => false,
];

$dbh = new PDO($dsn, $user, $password, $options);

$sth = $dbh->prepare(‘SELECT id, name, age
FROM user
WHERE age > ? AND age < ?’);

$sth->execute([
$_POST[‘minAge’],
$_POST[‘maxAge’]
]);

$users= $sth->fetchAll();

?>

Users

<?php foreach ($users as $user): ?>
• <?= $user->name ?>
<?php endforeach; ?>

[/php]

Thanks so much for your kind reply. Given all things that I’m spending time with and the upcoming mountain biking scene which will soon be happening in my area of Maine I’ll give this a shot.

Much appreciated,
Greg