0

PHP crypt function is returning different hashes on local and production server. On localhost the crypt hash validation is working fine, but on production its not.

Local: PHP 5.4.4
Procution: PHP 5.3.10-1ubuntu3.5

Code:

echo crypt('123123123');

Local Example Response:

$1$7ymnm8q/$M6HLj2JEvzWGElqlwjAKm0

Production Example Response:

$6$sbttg2v6$2YAU3dNKR/.MRGmbBV4sR8vEhr/L8aOMTej1u3gArhgIiCiJ5IFJ
Luciano Nascimento
  • 2,600
  • 2
  • 44
  • 80
  • possible duplicate of [Crypt is different on server than on local machine](http://stackoverflow.com/questions/7058627/crypt-is-different-on-server-than-on-local-machine) –  Feb 24 '13 at 09:20

2 Answers2

1

Citing from the PHP docu on crypt():

crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system.

So cyrpt() is not bound to a specific algorithm, but uses, what the system supports.

You may use the following constants to see, which are supported in the system you are running crypt():

  • CRYPT_STD_DES
  • CRYPT_EXT_DES
  • CRYPT_MD5
  • CRYPT_BLOWFISH
  • CRYPT_SHA256
  • CRYPT_SHA512

If you look at the examples in the docu, you'll see, that your local code uses MD5 for encryption, while the production server uses SHA-512.

Furthermore you don't specify a specific salt, so PHP will generate one for you, which will also differ in each invocation of crypt().

Sirko
  • 72,589
  • 19
  • 149
  • 183
  • When I try to validade the password, using: `(crypt($form->password, $user->password) != $user->password)` on the server it always return `false`. What should be the problem? – Luciano Nascimento Feb 24 '13 at 09:24
  • @LucianoNascimento `crypt()` is a one way function. So you can't decrypt that way. To compare two passwords, you would use something like `crypt( $db_pw, $salt ) == crypt( $entered_pw, $salt )`. – Sirko Feb 24 '13 at 09:29
0

The systems use different default hashing algorithms: $1$ stands for MD5, $6$ for SHA-512

You should specify the algorithm explicitly using the salt parameter:

crypt('123123123', '$6$somerandomstring');

See crypt() documentation:

salt An optional salt string to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results.

Fabian Schmengler
  • 24,155
  • 9
  • 79
  • 111