So i have a small leak in my login script.
lets say we have a user "David" with the password "s3cret". If David logs in with s3cret, he is logged in, and everything works fine. If he logs in with "oijopij", the system won't give him access, as expected. However, If he tries to login with "s3cretHelloimasuffix", he is also logged in. This is the part where i create the hash with crypt:
$salt = //Some random salt string
$hash = crypt( $user->pass, $salt );
This hash is then inserted into the DB.
if ( crypt( $this->data->pass, $user->pass ) == $user->pass )
return true;
return false;
This is then the part that actually checks the password against the hash, both the password, and the hash are correct. But it still returns true even if there is a suffix beghind the password.
edit: i forgot the actual question: How do i fix this problem? As it could be seen as a security leak, even though in practice it isn't.