So i have a small leak in my login script.
lets say we have a user "David" with the password "s3cret". If David logs in with s3cret, he is logged in, and everything works fine. If he logs in with "oijopij", the system won't give him access, as expected. However, If he tries to login with "s3cretHelloimasuffix", he is also logged in. This is the part where i create the hash with crypt:
$salt = //Some random salt string
$hash = crypt( $user->pass, $salt );
This hash is then inserted into the DB.
if ( crypt( $this->data->pass, $user->pass ) == $user->pass )
return true;
return false;
This is then the part that actually checks the password against the hash, both the password, and the hash are correct. But it still returns true even if there is a suffix beghind the password.
edit: i forgot the actual question: How do i fix this problem? As it could be seen as a security leak, even though in practice it isn't.
crypt as you're using it is limited to 8 character passwords:
php > echo crypt('1234567', 'abc');
ablk9HoaAwzxk
php > echo crypt('12345678', 'abc');
ab1iBa.N.U2C6
php > echo crypt('123456789', 'abc');
ab1iBa.N.U2C6
php > echo crypt('1234567890', 'abc');
ab1iBa.N.U2C6
Note how the ...8, ...89, ...890 versions have identical hashes.
crypt is obsolete and should not be used for password systems anymore. password_hash() is the recommended method now, which suports multiple hashing methods, including bcrypt, which SHOULD be used for password hashes.