21 февраля 2012, 23:22 от Giuseppe T. [email protected]:
pwd =1$Ln7ocLxd/.k
salt =1$
PHP calculated and in python crypt.crypt(‘multilab’, pwd[:2] are are correct)
No, they are not, because PHP and Python are using invalid salts,
despite
the fact that they shouldn’t. Each value in the 0-63 range is
represented
by a printable salt character in the “./0-9A-Za-z” range. You are using
an
invalid salt character (‘$’), which the Postgresql crypt() function
silently
maps to value 0, which is represented by the character ‘.’ in the salt,
so
your ‘1$2NVPu8Urs82’ hash is actually the result of crypt(‘multilab’,
‘1.’),
but with the original invalid salt ‘1$’ prepended.
According to the official PHP documentation, the PHP crypt() function
should fail if the salt contains at least one invalid character, but
it obviously doesn’t, so you should make sure to verify the salt
validity before calling the crypt() function.
If your users are likely to have usernames that contain characters
other than “./0-9A-Za-z”, then you should use the Postgresql function
gen_salt() instead of substr($user, 1, 2) when setting passwords:
postgres_query “UPDATE usertable SET pwd=crypt($pass, gen_salt(‘des’))
WHERE user=$user”;
Max
On Wed, Feb 22, 2012 at 9:03 AM, Max [email protected] wrote:
should fail if the salt contains at least one invalid character, but
it obviously doesn’t, so you should make sure to verify the salt
validity before calling the crypt() function.
If your users are likely to have usernames that contain characters
other than “./0-9A-Za-z”, then you should use the Postgresql function
gen_salt() instead of substr($user, 1, 2) when setting passwords:
postgres_query “UPDATE usertable SET pwd=crypt($pass, gen_salt(‘des’))
WHERE user=$user”;
Don’t forget that des password hashing is limited to 8 characters.
Anything beyond that is ignored.
$ echo ‘<?php echo crypt("12345678", "ad")."\n" ?>’ | php
adBh37ptDUT2o
$ echo ‘<?php echo crypt("123456789", "ad")."\n" ?>’ | php
adBh37ptDUT2o
It’s better to use something more modern like bcrypt (gen_salt(‘bf’,
8) in postgresql). If you want to hash it in php, import phpass[1]
PasswordHash to get the gen_salt equivalent function since php doesn’t
seem to provide any.
[1] Portable PHP password hashing ("password encryption") framework
–
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Hi all,
Thanks to everyone who helped me to solve the problem.
I tried with these three solutions and they worked perfectly.
PHP and Postgresql
$pass =crypt($password, ‘$1$’)
UPDATE usertable SET pwd=‘$pass’ WHERE user=‘$user’;
Postgresql only
UPDATE usertable SET pwd=crypt(‘mypass’, gen_salt(‘md5’)) WHERE
user=‘username’;
Nginx
postgres_query “SELECT user FROM usertable WHERE user=$user AND
pwd=crypt($pass, pwd)”;
Best Regards
Giuseppe
2012/2/22 Edho A. [email protected]: