Posted by sylikc on 10/20/42 11:21

Javier,

On 7/5/05, Javier <xavierleyba@yahoo.com.ar> wrote:
> I ve a little script to validate a user using an Apache htpasswd file.

I'm assuming you want to be able to use the hashes in the htpasswd
file to validate your user logins in PHP.


> I want to know how could/should I generate a crypted hash (with crypt or
> md5) with the entered password to match the password in the htpasswd file...
>
> I know how to use md5 or crypt functions but passing them entered password
> as a parameter, returned result dont match with the one in htpasswd file.

customized from the PHP documention usage of crypt()
http://www.php.net/manual/en/function.crypt.php



With CRYPT passwords, there is a salt that mixes with the actual
password before it's hashed. To be able to create the same hash
everytime, do the following...

1) You create your password and insert it into the htpasswd file
htpasswd -b .htpasswd username password

2) In your .htpasswd file, you see a line like this:
username:PQyFAAHPD3vKs

3) Your script gets the $username and $password from somewhere...

4) Search the .htpasswd file for the existence of $username and
retrieve the crypt hash ($crypthash='PQyFAAHPD3vKs' in this example)

5) Verify the password:
if (crypt($password, $crypthash) == $crypthash) { echo 'GOOD!'; }



For MD5 passwords though, it's a little different and not documented
as thoroughly...

1) First check your constant CRYPT_MD5... if you don't have it in your
PHP, this won't work...
if (CRYPT_MD5 == 1) { echo 'PHP supports MD5-crypt'; }

2) Assuming it works out, do steps #2,#3,#4 above, so you now have
your $username, $password, $crypthash
(for ex: $crypthash='$apr1$jZ1.....$1Md.1a88zkKIPCY0b42Cw/')

3) Extract crypt salt from the $crypthash ....
$cryptsalt = '$'.substr($crypthash,4,11);

4) Verify the password:
if (crypt($password, $cryptsalt) == $crypthash) { echo 'GOOD!'; }

In step #4 you'll have to see the output from your crypt() function
that supports MD5. I don't have my built with it just yet and can't
verify this, but use the steps as a guide to building your
implementation.

Post some code if you're still having trouble,


/sylikc

• Next in forum: Re: [PHP] who can do this without the recursion
• Prev in forum: Re: [PHP] Apache htpasswd
• Thread view: Re: [PHP] Apache htpasswd

[Reply to this message]