Protecting user names and passwords, not to mention financial or other personal information, can be a difficult job for any webmaster. Unfortunately there are an awful lot of people out there with nothing better to do than break into your system and steal information, or just wreak havok. One of the tools of the trade for information protection is encryption. There is a built-in function of the PHP language called crypt() which is easy to use and can help you secure information you want to protect.

Crypt is a one-way encryption function. You may wonder then, "What good is it if I can't decrypt what I have encrypted?" The answer is simple. In PHP, crypt can be used to confirm that, for example, an entered password matches a stored encrypted one.

Here is how it works: crypt accepts two arguments and returns an encrypted string. The first argument is the string you wish to encrypt. Use the trim function to ensure that whitespace on either side of the string is stripped away, just to make everything cleaner. The second argument is the encryption "salt," which is a string that is used on which to base the encryption. This is an optional parameter that, if not supplied, will be randomly generated by the function. Here is an example:

$crypted_pass = crypt($password);

The variable Crypted_pass can now be stored in a database or flat file. If you use the encrypted password for the salt argument and use it to encrypt the correct password, entered from a login form for instance, the two encrypted versions will match as below.

//$pass_entered_from_login is the user entered password
//$crypted_pass is the encrypted password from the
//database or file
if(crypt($pass_entered_from_login,$crypted_pass)) == $crypted_pass)
{
   echo("Welcome to my web site.")
}

You are encrypting it in the same way that you did when it was entered and stored in the database. The difference is that this time you are using the stored encrypted version as the salt. If the correct password was entered then the two encrypted versions will match; the user is welcomed and can proceed.

This allows you to confirm the password without decrypting it, since all you really need to know is if it matches the user's input. You can use this for any information that is short (8 charaters on some systems) and needs to be confirmed but not decrypted. User information like passwords are the most common target for this function.

Crypt uses standard MD5 encryption but can also use DES or other encryption as available. Information on the types of encryption that is available on your system can be viewed through constants set in PHP. Check for which encryption is supported by using the following code.

echo("DES is " . CRYPT_STD_DES."<br>Extended DES is ".
CRYPT_EXT_DES."<br>MD5 is "CRYPT_MD5.
"<br>BlowFish is ".CRYPT_BLOWFISH");

The result will look something like this:

DES is 1
Extended DES is 1
MD5 is 1
BlowFish is 0

If any of these is "0" then it is not supported. Each of these algorithms use a different salt. MD5 uses 12 characters, DES uses 2. Also beware that some operating systems truncate a string that is larger than 8 characters before encrypting it. You should test this in your comparison script on the system that you intend to use it just in case. You can also check CRYPT_SALT_LENGTH to determine the default salt length. It may be 2 or 12 depending on the encryption that is used.

It is not recommended that you use an automatically generated salt if you will be calling crypt repeatedly, such as in a loop. The same salt will be used, which will compromise security.