doyz51819 2014-04-11 15:06
浏览 59
已采纳

即使密码后缀后缀,PHP crypt也会返回true

So i have a small leak in my login script.

lets say we have a user "David" with the password "s3cret". If David logs in with s3cret, he is logged in, and everything works fine. If he logs in with "oijopij", the system won't give him access, as expected. However, If he tries to login with "s3cretHelloimasuffix", he is also logged in. This is the part where i create the hash with crypt: 

$salt = //Some random salt string
$hash = crypt( $user->pass, $salt );

This hash is then inserted into the DB. 

if ( crypt( $this->data->pass, $user->pass ) == $user->pass )
     return true;

return false;

This is then the part that actually checks the password against the hash, both the password, and the hash are correct. But it still returns true even if there is a suffix beghind the password.

edit: i forgot the actual question: How do i fix this problem? As it could be seen as a security leak, even though in practice it isn't.

  • 写回答

1条回答 默认 最新

  • douka19950505 2014-04-11 15:19
    关注

    crypt as you're using it is limited to 8 character passwords:

    php > echo crypt('1234567', 'abc');
ablk9HoaAwzxk
php > echo crypt('12345678', 'abc');
ab1iBa.N.U2C6   
php > echo crypt('123456789', 'abc');
ab1iBa.N.U2C6
php > echo crypt('1234567890', 'abc');
ab1iBa.N.U2C6

    Note how the ...8, ...89, ...890 versions have identical hashes.

    crypt is obsolete and should not be used for password systems anymore. password_hash() is the recommended method now, which suports multiple hashing methods, including bcrypt, which SHOULD be used for password hashes.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 用hfss做微带贴片阵列天线的时候分析设置有问题
  • ¥50 我撰写的python爬虫爬不了 要爬的网址有反爬机制
  • ¥15 Centos / PETSc / PETGEM
  • ¥15 centos7.9 IPv6端口telnet和端口监控问题
  • ¥120 计算机网络的新校区组网设计
  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 海浪数据 南海地区海况数据,波浪数据
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等