PHP DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


PHP's Encryption Functionality
Pages: 1, 2, 3

User authentication with crypt()

As an example of the use of the crypt() function, consider a scenario where you are interested in creating a PHP script that restricts a certain directory, allowing only those users supplying a correct user name and password to enter this directory. I'll store this information in a table residing on my favorite database server, MySQL. I'll begin by creating the table (titled "members"):



mysql>CREATE TABLE members (
    ->username CHAR(14) NOT NULL,
    ->password CHAR(32) NOT NULL,
    ->PRIMARY KEY(username)
    ->);

Next, assume that the following data is found in the members table:

Username Password
clark keloD1C377lKE
bruce ba1T7vnz9AWgk
peter paLUvRWsRLZ4U

These encrypted passwords correspond to "kent", "banner", and "parker", respectively. Notice that the first two letters of each password correspond to their unencrypted counterparts. This is because I used the following code to create a salt based on the first two letters of the password:

// Password is entered in an administration 
// form and stored as 
$enteredPassword.
$salt = substr($enteredPassword, 0, 2);
$userPswd = crypt($enteredPassword, $salt);
// $userPswd is then stored in the MySQL 
// database along with the username.

I'll make use of Apache's challenge-response authentication scheme to prompt the user for a user name and password. A little-known fact about PHP is that it recognizes Apache's challenge-response input user name and password as the global variables $PHP_AUTH_USER and $PHP_AUTH_PW respectively, which I'll make use of in the authentication script. Take a moment to read through the following script, paying particular attention to the comments so as to better understand the code flow:


Listing 1: Using crypt() and Apache's challenge-response authentication scheme.

<?php

$host = "localhost";
$user = "zorro";
$pswd = "hellodolly";
$db = "users";

// Set authorization to False

$authorization = 0;

// Verify that user has entered username and password

if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW)) :

  mysql_pconnect($host, $user, $pswd) or die("Can't connect to MySQL
server!");

  mysql_select_db($db) or die("Can't select database!");

  // Perform the encryption
  $salt = substr($PHP_AUTH_PW, 0, 2);
  $encrypted_pswd = crypt($PHP_AUTH_PW, $salt);

  // Build the query

  $query = "SELECT username FROM members WHERE
      username = '$PHP_AUTH_USER' AND
      password = '$encrypted_pswd'";

  // Execute the query

  if (mysql_numrows(mysql_query($query)) == 1) :
    $authorization = 1;
  endif;

endif;

// confirm authorization

if (! $authorization) :

  header('WWW-Authenticate: Basic realm="Private"');
  header('HTTP/1.0 401 Unauthorized');
  print "You are unauthorized to enter this area.";
  exit;

else :

  print "This is the secret data!";

endif;

?>


There you have it -- a simple authentication scheme for verifying user access. Before using crypt() to protect important secrets such as directions to the secret hiding place of the family jewels, keep in mind that crypt() when used in its default form is certainly not the most secure algorithm in the world, and should not be used for anything other than low-level authentication. For those of you searching for a more robust encryption scheme, hold tight, as I'll be introducing several later in this article.

Next, I'll introduce another PHP-supported function -- md5(). This function, which uses the MD5 hashing algorithm, has several interesting uses worth noting.

Hashing

A hash function will transform some variable-length message into a fixed-length hashed outcome, also known as a "message digest." This is useful because this fixed-length string can then be used as a method for checking file integrity and verifying digital signatures, in addition to things such as user authentication. As it pertains to PHP, PHP's built-in md5() hashing function will convert any variable-length message into a 128-bit (32-character) message digest. The interesting thing about hashing is that it is impossible to decode a message by examining the hash, because the hashed result is in no way related to the content of the original plain text. To illustrate this, consider that just changing one character of a string will cause the MD5 hashing algorithm to calculate two vastly different outcomes. First consider Listing 2 and its corresponding outcome.


Listing 2: A string hashed with md5().

<?php
$msg = "This is some message that I just wrote";
$enc_msg = md5($msg);
print "hash: $enc_msg 

"; ?>

The outcome:

hash: 81ea092649ca32b5ba375e81d8f4972c

Notice that the outcome is 32 characters long. Now consider Listing 3, which contains a slightly modified $msg value:


Listing 3: A slightly modified string hashed with md5().

<?php
// Notice that 'message' is missing an 's'
$msg = "This is some mesage that I just wrote";
$enc_msg = md5($msg);
print "hash2: $enc_msg <br /><br />";
?>

The outcome:

hash2: e86cf511bd5490d46d5cd61738c82c0c

As you can see, a minor change in the message string will cause two vastly different hashing outcomes, although each result is still 32 characters. And thus hashing and the md5() function are great tools for checking for even the most minor differences in data.

While crypt() and md5() each have their uses, both are rather limited in terms of functionality. In the next section, I'll introduce two very useful PHP extensions, namely Mcrypt and Mhash, which greatly extend a PHP user's encryption options.

While in the last section you learned just how useful one-way encryption could be, there are times when you will want the option to be able to both encrypt and subsequently decrypt data. Thankfully, PHP offers this possibility in the form of the Mcrypt library extension.

Pages: 1, 2, 3

Next Pagearrow




Valuable Online Certification Training

Online Certification for Your Career
Earn a Certificate for Professional Development from the University of Illinois Office of Continuing Education upon completion of each online certificate program.

PHP/SQL Programming Certificate — The PHP/SQL Programming Certificate series is comprised of four courses covering beginning to advanced PHP programming, beginning to advanced database programming using the SQL language, database theory, and integrated Web 2.0 programming using PHP and SQL on the Unix/Linux mySQL platform.

Enroll today!


Sponsored by: