comparing variables

[Renegade605]

so i have this webpage that's supposed to be access to a database of members. i've stored all the user accounts in external text files that look like this:

HASHadmin

the hash is an encrypted password. the 'admin' is the level of accessi have a code that's supposed to compare the password you put in the form with the decrypted password from the file, and if they're the same, it lets you into the database. but when i type in the password that matches the one in the file, even if they're same it doesn't let me ini added a part where it would should me the two things and then the variable that is whether or not they're the same, see below.the code is here:

<?php	session_start();	echo "<div class='invisible'>";	if (isset($_REQUEST['username']))	{		$userfile = fopen("external/users/" . $_REQUEST['username'] . ".txt","r");		$HASH = fgets($userfile);		$HASH = /* DECRYPT CODE PASSWORD */		$_SESSION['loginname'] = fgets($userfile);		if (!userfile) $_SESSION['loginname'] = "ERROR";		fclose($userfile);				$_SESSION['username'] = $_REQUEST['username'];		$_SESSION['password'] = $_REQUEST['password'];				if ($_SESSION['password'] == $HASH)		{			$_SESSION['access'] == true;		}		else $_SESSION['access'] == false;	}		echo "</div>";?><html><body><?php echo $HASH . " " . $_SESSION['password'] . " " . ($_SESSION['password'] == $HASH); ?></body></html>

when you first load the page (before you enter a username and password) it displays this: " 1" (no passwords, which are obviously equal)after you enter a password, it displays: "1234 1234 " (so the comparison isn't returning any value?what gives?

[justsomeguy]

Use var dump on them. One of them might have extra spaces or something. It also might be a better idea to hash the entered password and compare the hashes instead of decrypting the encrypted one (technically, a hash is one-way, it is not decryptable).var_dump($HASH);

[Renegade605]

It appears that the var_dump() function is just erasing the variable value. You can connect now, but you can always connect, no matter what password you send through the form.I also described the problem wrong, reread the first post pls.Finally, how would you encrypt a password in a way that can't be reversed? As far as I can think, anything you do to a string can be reversed with the opposite functions.

[justsomeguy]

var_dump doesn't modify anything, it prints the data type and the value. If it's not printing a value then the variable doesn't have a value. I suggested using it because you might see that one of them is a 5-character string with a space on the end and the other is a 4-character string, var_dump will report the length of it as well as the type. e.g. var_dump("test"); would print something like string(4) "test".SHA-1 and MD5 are two examples of one-way hash functions. MD5 is old and has several attacks against it, SHA-1 is newer but even so has a few published attacks, but is still good for almost all internet application uses. If you work for the CIA or NSA or something you might want to use SHA-256 or SHA-512 or something, I don't think we have computers powerful enough to attack those yet, it would take too long. MD5 produces a 128-bit hash and SHA-1 produces a 160-bit hash (40 characters).

[jeffman]

Finally, how would you encrypt a password in a way that can't be reversed? As far as I can think, anything you do to a string can be reversed with the opposite functions.

Just for kicks. Say your password is "zow." Not a good one, but good for demonstration.Simply take the ascii value of each character: 122, 111, 119. Add those together. Your hash = 352.Now try to pull it apart. You know the hash is the sum of all the ascii values. But you could arrive at 352 with different characters, same characters in a different order, or by having a different number of characters. You'd never know for sure which one was correct. So a functionally irreversible encryption is actually quite easy.Sadly, this simple algorithm still lets brute force match the hash quite easily. So it's not good for security. To get a good one, you have complicate the algorithm a lot. And you'd have to be able to prove that multiple passwords would not create the same hash.But the general principle, called digesting, is not hard.

[justsomeguy]

And you'd have to be able to prove that multiple passwords would not create the same hash.

That's something you can never prove, with any hash. That's a fundamental thing about hashing, the hash space is a finite space but the source space is infinite. There are going to be several things that map to the same hash, but larger hashes make it very difficult to find a collision in a reasonable time frame. With SHA-1, a 160-bit hash, there are 1.461e+48 different combinations (give or take several quadrillion). So there are only that many possible hashes that SHA-1 can produce, but there are an infinite number of things that can be hashed. You can hash "A", and that will produce one hash, "AA" will produce another "AAA" another, etc. You can hash a 2GB string and get a 160-bit hash. So there are an infinite number of things to hash and a finite number of hashes, so collisions are bound to happen. You can't ever prove that a hash won't have collisions, only that the average time required to find a collision is impractically high. For example, to find a collision for a given SHA-1 hash, where a brute force attack (trying every combination) might take up to 2^80 operations, one research team has found an algorithm that is guaranteed to produce a collision within 2^35 operations, which is 34,359,738,368. That's something that some computers today can handle within a few hours. Algorithms like SHA-256 or SHA-512 just produce a larger hash that takes a lot more (exponential) time to find a collision, where it would take a modern supercomputer several decades.

[jeffman]

only that the average time required to find a collision is impractically high.

I think this is what I believed, but I wasn't sure based on the little reading I've done.

[jeffman]

it displays: "1234 1234 " (so the comparison isn't returning any value?

I've just been playing around with this, and a "nothing" is what you end up with in this situation when the comparison is false.BTW, fgets() returns newline characters. I don't know if this is your problem or not, but it seems to me if you want to unencrypt something, you'd use trim() to get rid of any leading or trailing whitespace first.Consider:$A = "hello\x0D";$B = "hello";echo $A . " " . $B . " " . ($A == $;what you see in the browser is:hello hello x0D = CR, commonly used as all or part of a newline delimiter. You can't see it in the browser (though you can in view source) but it's there, and our comparison returns false.

[Renegade605]

var_dump doesn't modify anything, it prints the data type and the value. If it's not printing a value then the variable doesn't have a value. I suggested using it because you might see that one of them is a 5-character string with a space on the end and the other is a 4-character string, var_dump will report the length of it as well as the type. e.g. var_dump("test"); would print something like string(4) "test".SHA-1 and MD5 are two examples of one-way hash functions. MD5 is old and has several attacks against it, SHA-1 is newer but even so has a few published attacks, but is still good for almost all internet application uses. If you work for the CIA or NSA or something you might want to use SHA-256 or SHA-512 or something, I don't think we have computers powerful enough to attack those yet, it would take too long. MD5 produces a 128-bit hash and SHA-1 produces a 160-bit hash (40 characters).

Ah, I misunderstood the var_dump() function. I was typing "$HASH = var_dump($HASH);" which wiped the variable because--obviously--var_dump() does not return any value.So how would I get my hands on this SHA-1 algorithm? Is there some website where I can download a script? Or...?

I've just been playing around with this, and a "nothing" is what you end up with in this situation when the comparison is false.BTW, fgets() returns newline characters. I don't know if this is your problem or not, but it seems to me if you want to unencrypt something, you'd use trim() to get rid of any leading or trailing whitespace first.Consider:$A = "hello\x0D";$B = "hello";echo $A . " " . $B . " " . ($A == $;what you see in the browser is:hello hello x0D = CR, commonly used as all or part of a newline delimiter. You can't see it in the browser (though you can in view source) but it's there, and our comparison returns false.

Ah, that explains this. I suppose justsomeguy had the same thought and I just implemented his solution wrong. Anyway, thanks for your help guys; I'm going to go try this out now and see if I can get it working.

[jeffman]

SHA-1 is built into PHP. http://www.php.net/manual/en/function.sha1.phpIf you want to see the algorithm, check out wikipedia: http://en.wikipedia.org/wiki/Sha1