I just discovered that my password-protected area is not that protected. Passwords are required to use digits. Now, if the password has the digits at the end, somehow the login is accepted as long as the a-z part of the password is correct. Why is that and how can I correct that? (PHP 5.4.28)
function generate_hash($password)
{
$salt = openssl_random_pseudo_bytes(22);
$salt = '$2a$%13$' . strtr($salt, array('_' => '.', '~' => '/'));
return crypt($password, $salt);
}
$bind = array(":email" => $email, ":password" => crypt($password, generate_hash($password) ) );
$results = $db->select("users", 'email=:email AND password=:password', $bind);
I don't know about the specifics of your problem, but you're using the hash completely wrong. To use crypt, you do the following:
On registration:
$salt argument in a proper format: $2a$xx$... (note: no %, that may contribute to the problem)crypt($password, $salt)On login:
crypt($enteredPassword, $databaseHash)You're not doing that at all. You should probably also use password_hash instead, which takes care of a lot of pitfalls in the usage of the raw crypt API.