Home arrow PHP arrow Using the PHP Crypt Function

Using the PHP Crypt Function

The PHP crypt function is a one-way encryption function that lets you confirm that an entered password matches a stored encrypted one -- without having to decrypt anything. Chris Root explains how it works.

  1. Using the PHP Crypt Function
  2. A Practical Example
  3. Login
  4. A Few Words About Storage and Security
By: Chris Root
Rating: starstarstarstarstar / 33
January 17, 2005

print this article



Protecting user names and passwords, not to mention financial or other personal information, can be a difficult job for any webmaster. Unfortunately there are an awful lot of people out there with nothing better to do than break into your system and steal information, or just wreak havok. One of the tools of the trade for information protection is encryption. There is a built-in function of the PHP language called crypt() which is easy to use and can help you secure information you want to protect.

Crypt is a one-way encryption function. You may wonder then, "What good is it if I can't decrypt what I have encrypted?" The answer is simple. In PHP, crypt can be used to confirm that, for example, an entered password matches a stored encrypted one.

Here is how it works: crypt accepts two arguments and returns an encrypted string. The first argument is the string you wish to encrypt. Use the trim function to ensure that whitespace on either side of the string is stripped away, just to make everything cleaner. The second argument is the encryption "salt," which is a string that is used on which to base the encryption. This is an optional parameter that, if not supplied, will be randomly generated by the function. Here is an example:

$crypted_pass = crypt($password);

The variable Crypted_pass can now be stored in a database or flat file. If you use the encrypted password for the salt argument and use it to encrypt the correct password, entered from a login form for instance, the two encrypted versions will match as below.

//$pass_entered_from_login is the user entered password
//$crypted_pass is the encrypted password from the
//database or file
if(crypt($pass_entered_from_login,$crypted_pass)) == $crypted_pass)
   echo("Welcome to my web site.")

You are encrypting it in the same way that you did when it was entered and stored in the database. The difference is that this time you are using the stored encrypted version as the salt. If the correct password was entered then the two encrypted versions will match; the user is welcomed and can proceed.

This allows you to confirm the password without decrypting it, since all you really need to know is if it matches the user's input. You can use this for any information that is short (8 charaters on some systems) and needs to be confirmed but not decrypted. User information like passwords are the most common target for this function.

Crypt uses standard MD5 encryption but can also use DES or other encryption as available. Information on the types of encryption that is available on your system can be viewed through constants set in PHP. Check for which encryption is supported by using the following code.

echo("DES is " . CRYPT_STD_DES."<br>Extended DES is ".
"<br>BlowFish is ".CRYPT_BLOWFISH");

The result will look something like this:

DES is 1
Extended DES is 1
MD5 is 1
BlowFish is 0

If any of these is "0" then it is not supported. Each of these algorithms use a different salt. MD5 uses 12 characters, DES uses 2. Also beware that some operating systems truncate a string that is larger than 8 characters before encrypting it. You should test this in your comparison script on the system that you intend to use it just in case. You can also check CRYPT_SALT_LENGTH to determine the default salt length. It may be 2 or 12 depending on the encryption that is used.

It is not recommended that you use an automatically generated salt if you will be calling crypt repeatedly, such as in a loop. The same salt will be used, which will compromise security.

>>> More PHP Articles          >>> More By Chris Root

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: