[Date Prev][Date Next] [Chronological] [Thread] [Top]

PHP: issues managing the password, what is wrong?



  Hi people, I doing a web interface that will request a username +
password, like squirrelmail i will contact my ldap server, this app
will  run on Centos 5.3, php 5.3, this will be where my web pages will
be, the ldap server is running on Gentoo with ldap 2.3.43.

  My current problem is with the password, I have found small app that
wants to compare the input of the password vs the ldap password this
will let us identify the user.

  Well searching aroun, I found the crypt function but there is a
thing that I don't like it:

"The standard DES-based encryption crypt() returns the salt as the
first two characters of the output. It also only uses the first eight
characters of str , so longer strings that start with the same eight
characters will generate the same result (when the same salt is used)"

 How can I deal with this note: 8 characters only?

  Some users have more than that, this is my code:

$cryptedpassword='{crypt}74boAULE9gF5.';

    if( preg_match( "/{([^}]+)}(.*)/", $cryptedpassword, $cypher ) ) {
        $cryptedpassword = $cypher[2];
        $_cypher = strtolower($cypher[1]);

    } else {
        $_cypher = NULL;
    }

    if( preg_match("/^\\$2+/",$cryptedpassword ) ) {

                // make sure that web server supports blowfish crypt
            if( ! defined( 'CRYPT_BLOWFISH' ) || CRYPT_BLOWFISH == 0 )
                    pla_error( _('Your system crypt library does not
support blowfish encryption.') );

                list(,$version,$rounds,$salt_hash) =
explode('$',$cryptedpassword);

                if( crypt( $plainpassword, '$'. $version . '$' .
$rounds . '$' .$salt_hash ) == $cryptedpassword )
                    return true;
                else
                    return false;
            }

            elseif( strstr( $cryptedpassword, '$1$' ) ) {

                if( ! defined( 'CRYPT_MD5' ) || CRYPT_MD5 == 0 )
                    pla_error( _('Your system crypt library does not
support md5crypt encryption.') );

                list(,$type,$salt,$hash) = explode('$',$cryptedpassword);

                if( crypt( $plainpassword, '$1$' .$salt ) == $cryptedpassword )
                    return true;
                else
                    return false;
            }

            elseif (strstr( $cryptedpassword, '_' ) ) {

                if ( ! defined( 'CRYPT_EXT_DES' ) || CRYPT_EXT_DES == 0 )
                    pla_error( _('Your system crypt library does not
support extended DES encryption.') );

                echo crypt($plainpassword, $cryptedpassword );

                if( crypt($plainpassword, $cryptedpassword ) ==
$cryptedpassword )
                    return true;
                else
                    return false;
            }

            else {

                if( crypt($plainpassword $cryptedpassword ) == $cryptedpassword)
                   return true;
                else
                    return false;
            }

  The issue is the 8 character limitation, even If i have a password
of 10 characters, the function will just take 8, how can I deal with
this issue?

  Thanks for your time my firiends!!!

-- 
LIving the dream...