How to check a mysql encrypt value with a salt in PHP?

Question

For my website I\'ve stored my user passwords in the database using this MySQL function:

ENCRYPT(\'password\', CONCAT(\'$6$\', SUBSTRING(SHA(RAND()), -16)))
         


        

Answer 1

The salt used by ENCRYPT() (better known as the crypt() function) is stored as part of the hash, and can be used as part of the hash:

SELECT ... FROM users WHERE ... AND password = ENCRYPT('swordfish', password);

(That is, if the password the user entered was "swordfish". I'm avoiding "password" because it's also a column name.)

You can (and should) do the same thing in PHP by checking:

crypt($user_password, $hashed_password) == $hashed_password

Note that crypt() is not a particularly secure method of password storage. Please see Secure hash and salt for PHP passwords for details.