now i using this code to crypt my password on database,it function when login or validation.
But it only valid the first 7 character.
let say my password is miow12345, but i can just type in miow123 or miow12312q... to login
$pas = crypt($_POST["pas"], "MiO1!");
validation.php
if(isset($_POST['username']))
{
$username = $_POST['username'];
}
if (isset($_POST['password']))
{
$password=crypt($_POST["password"], "MiO1!");
}
$q = 'SELECT * FROM users WHERE username=:username AND password=:password';
$query = $dbh->prepare($q);
$query->execute(array(':username' => $username, ':password' => $password));
if($query->rowCount() == 0)
{
header('Location: login.php?err=1');
}
another method(same problem)
if( crypt($_POST["pas"], "TmP2!") != $row["password"])
PHP's crypt function only uses the first eight characters, that's by design (http://php.net/manual/en/function.crypt.php).
You should use password_hash instead when storing a password in the database and use password_verify to compare it to the password the user entered:
if (password_verify($_POST["pas"], $row["password"]))
(this code won't work for you right now, since you have crypt-hashed passwords in your DB, you will have to re-hash them using password_hash)
The thing is your code here is wrong $password=crypt($_POST["password"], "MiO1!"); it will return a different set of string. the proper thing to use is the has_equals function. here is a sample provided by php documentation.
if (hash_equals($hashed_password, crypt($user_input, $hashed_password))) {
//your query here;}