Crypt Function Not Returning Correct Password

Question

I have a simple login system using crypt and blowfish. However, for the life of me I can't figure out why the function is not producing the registered password that is stored in my database. What is wrong with the crypt function?

Here is when the password is registered into the database.

function unique_md5() {

  mt_srand(microtime(true)*100000 + memory_get_usage(true));

  return md5(uniqid(mt_rand(), true));

}

if ($password == $password_again) {

$md5 = substr(unique_md5(), 0, 15);

$string = '$2a$07$' . $md5;

$password = trim($password);

$protected_password = crypt($password, $string);

//rest of code involved putting that $protected_password into database

Login Page code

$password = 'password';

echo '$2a$07$4cf0aa3a82e8d78$$$$$$.M4dWdC3N7OF.hphzfyswwszM7RFJUfu';

//the echo below echos out the exact same thing as the echo above, but the if statement 
//recognizes it as not equal to

echo $registered_password = registered_password($mysqli, $username);

if ($password == crypt($password, $registered_password))

    {

    echo 'Working';

    } else {

    echo 'Not working';

}

Answer 1

You are using the crypt function wrong. You need to compare the encrypted password against the result from crypt, not the plain-text password.

Your comparison should be something like:

if ($encrypted_password_from_database == crypt($user_provided_password, $encrypted_password_from_database)) {
    // match
} else {
    // no match
}