|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38152 major problem with crypt()
Submitted: 2006-07-19 21:25 UTC Modified: 2006-07-19 22:29 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: businessman332211 at hotmail dot com Assigned:
Status: Not a bug Package: *Encryption and hash functions
PHP Version: 4.4.2 OS: linux server
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
21 + 43 = ?
Subscribe to this entry?

 [2006-07-19 21:25 UTC] businessman332211 at hotmail dot com
I use crypt, I use the first 2 letters of the username and create a encryption, like below under encryption then database $password into the database
Now I come to where I am testing to see if it matches someone goes to login in, they enter username, and password, I take there username, user it as salt to encrypt there password in the same way, I take there username, and there password and run it against the db for a match, if it matches it returns true and pulls the result.
If it doesn't it returns false
supposedly, if it's just 1 character off then it doesn't work.
I used 951103902 for instance
if I add an extra letter at the end, or change one before it, it still returns true, I tried it with random words too, this isn't suppose to happen.

Reproduce code:
$salt = substr($username, 0, 2);
$password = crypt($password, $salt);
$salt = substr($username, 0, 2);
$enteredpass = crypt($enteredpass, $salt);
if ($enteredpass === $password){
echo "The passwords match";
}else {
echo "The password is incorrect";

Expected result:
I expect it to encrypt the password using crypt with the first 2 letters of whatever username.
which it does
then when I go to retrieve it with the persons entered information, if they typed the same password and username earlier, I expect it to get a match on the password, but it doesn't

Actual result:
it doesn't match all the time, it does if it's right, if it's way off it returns false, which is good, but if it's close to a match but a little off it returns true


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-19 22:29 UTC]
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Jul 03 17:01:26 2020 UTC