3

In my php application I use the php crypt() function where my salt value is the first two characters from the username. I noticed that the function returns a different result on windows and linux. I also read on w3cschools that this function behaves different on different operating systems. It is possible to configure the php environment in order to obtain the same result on both operating systems? (Modifying the encryption mode is not an option.)

Madalina
  • 1,297
  • 6
  • 15
  • 25
  • 5
    w3cschools? Who? There are two organizations that you appear to be conflating. **The W3C** who publish most of the standards that the WWW depends on, and **W3Schools** who publish low quality, security hole ridden tutorials about things relating to the WWW. – Quentin Dec 15 '10 at 08:14
  • This is the article http://www.w3schools.com/php/func_string_crypt.asp – Madalina Dec 15 '10 at 08:16
  • 2
    @Madalina : **Never** trust or rely on W3Schools. – Shikiryu Dec 15 '10 at 08:19
  • 1
    W3Schools are decent for very, *very* basic introduction tutorials for beginners, but nothing more. Please don't confuse them with the W3C, even just in name (you wrote "w3cschools"). :) – deceze Dec 15 '10 at 08:22
  • 1
    @deceze — their PHP/MySQL tutorial is pages and pages of Little Bobby Tables. They aren't good enough to be tutorials for beginners because they open up *huge* security holes. – Quentin Dec 15 '10 at 19:13

2 Answers2

3

crypt() uses whatever underlying hash function the OS uses, so if you want reliable (constant) results you could use one of the other hash functions like md5() or sha256(),sha512().

If you want a particular hashing function to be used by crypt() you have to specify the hash parameter accordingly and check if the algorithm is supported on the host OS. For example (taken from PHP Manual page of crypt()):

if (CRYPT_STD_DES == 1) {
        echo 'Standard DES: ' . crypt('rasmuslerdorf', 'rl') . "\n";
}

But its very OS dependent, so I recommend you use a standalone hash function. Or hash().

Append:

With hash() you would first use hash_algos() to check which hash is the best hash supported and then use that as the first argument, like this:

<?php
    $algos = hash_algos();
    if (in_array("sha256", $algos)) {
        $pass = hash ("sha256", "userpassword" . "salt");
    }
?>

Hope this helps.

mishmash
  • 4,422
  • 3
  • 34
  • 56
  • I was about to write almost the same thing. – Shikiryu Dec 15 '10 at 08:21
  • Thanks for your solution, but I was trying to avoid changing the encryption function because my application is an extension for an open source tool, so I was trying to avoid modifying the tool's source code. Here is the link to the encryption function that the tools uses: http://pve.proxmox.com/wiki/VTigerCRM#vTiger_CRM_v5.2.0_Password_Hashing – Madalina Dec 15 '10 at 08:45
  • "PHP now contains its own implementation for the MD5 crypt, Standard DES, Extended DES and the Blowfish algorithms and will use that /if the system lacks of support for one or more of the algorithms./" - read the text in between the slashes... – mishmash Dec 15 '10 at 10:21
0

It's hard to say without seeing the actual code, but this should not be the case assuming that the hash specified is supported by the underlying code. Prior to PHP 5.3, that was the OS code, but from 5.3 onwards, the hash is implemented within PHP.

The information provided by vanneto is a bit misleading. crypt expects the format of the salt to indicate the algorithm used, e.g. if you want blowfish then you'd provide a salt of:

$2a$xx$yyyyyyyyyyyyyyyyyyyyyy

Where xx indicates the number of repetitions and yyyy... is the actual salt in (22) base64 digits. The example provided by vanneto (2 letters) should use a single round of DES.

symcbean
  • 47,736
  • 6
  • 59
  • 94