I'm trying to write a little password encryption tool (mostly as a learning experience - but I may end up using it too ). And the encryption and decryption functions I wrote seem to work just fine (see crypt_test.php below). But, for some reason when I try to decrypt a result from a MySql database it doesn't seem to work (see db.php below). Not sure if it's some sort of weird data type issue? Or something else entirely. Code is below... maybe somebody can point me in the right direction. :/
Edit: Seems the encryption function creates a whole different string each execution, which is why the test worked but the db stuff doesn't. Guessing it has something to do with MCRYPT_RAND... help still appreciated though.
Thanks ahead of time.
crypt.php
<?php function encrypt($s) { $key = pack('H*', "-"); //took out keys for forum post $key_size = strlen($key); $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $s_utf8 = utf8_encode($s); $cipher = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $s_utf8, MCRYPT_MODE_CBC, $iv); $cipher = $iv . $cipher; $cipher_base64 = base64_encode($cipher); return $cipher_base64; } function decrypt($s) { $key = pack('H*', "-"); //took out keys for forum post $key_size = strlen($key); $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $cipher_dec = base64_decode($s); $iv_dec = substr($cipher_dec, 0, $iv_size); $cipher_dec = substr($cipher_dec, $iv_size); $decipher_utf8 = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $cipher_dec, MCRYPT_MODE_CBC, $iv_dec); $decipher_utf8 = str_replace("0", "", $decipher_utf8); return $decipher_utf8; }?>
crypt_test.php
<?php include('crypt.php'); $p = "password"; $c = encrypt($p); $d = decrypt($c); echo $p.'<br />'; echo $c.'<br />'; echo $d.'<br />'; //works just fine?>
db.php
<?php include_once('crypt.php'); function connect() { $con = mysql_connect('-', '-', '-'); if(!$con) die('Could not connect: ' . mysql_error()); mysql_select_db('-', $con); } function login($user, $pass) { connect(); $user = mysql_real_escape_string($user); $pass = mysql_real_escape_string($pass); $sql = "SELECT uid, password FROM Accounts WHERE username='$user'"; $result = mysql_query($sql); if($row = mysql_fetch_array($result)) { echo $pass . " : "; echo $row['password'] . " : "; echo decrypt($row['password']); //garbled nonsense if($pass == decrypt($row['password'])) return $row['uid']; } return -1; } function register($user, $pass, $email) { connect(); $user = mysql_real_escape_string($user); $pass = mysql_real_escape_string($pass); $pass = encrypt($pass); $email = mysql_real_escape_string($email); $sql = "INSERT INTO Accounts (username, password, email) VALUES ('$user', '$pass', '$email')"; mysql_query($sql); }?>