21 февраля 2012, 20:45 от Giuseppe Tofoni <gt0057@gmail.com>:
>
> In PHP I used crypt($pass, CRYPT_STD_DES) and I tried with the
> following statement

CRYPT_STD_DES is just a constant that indicates whether standard
DES crypt() is availlable, so you should not use it as the salt - or if
you do, the salt will be "1" (or "0" if standard DES crypt() is not
available). You may want to use something like this instead:

if (CRYPT_STD_DES == 1) {
$salt = substr($username, 0, 2);
$encrypted_password = crypt($password, $salt);
}

You should regenerate your .htpasswd file using this approach
because the Apache htpasswd uses a random salt instead of
the first two characters of the username,

>
> postgres_query "SELECT user FROM usertable WHERE user=$user AND
> pwd=crypt($pass, substr(pwd, 1, 2))";

You should never use any part of whatever you're encrypting as the salt
because it greatly reduces encryption strength / entropy. By using the
first two characters of the password as the salt, you're revealing them
because the salt is stored in the first two characters of the resulting
crypt() hash:

crypt("test", "te") generates "teH0wLIpW0gyQ"
crypt("test", "XX") generates "XXF2OrGyU2fzk"

So you may want to use something like this:

postgres_query "SELECT user FROM usertable WHERE user=$user AND
pwd=crypt($pass, substr($user, 1, 2))";

Max
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx