PHP password crypt giving weird results

Question

I have had a weird result when testing my login. When I use the password "100percent", the following output is displayed

ltu1GUwy71wHk = ltu1GUwy71wHk

If I use the password 100percenttest, I get the same output.

How can two different passwords give the same results?

//Get login Details
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$deviceID = mysql_real_escape_string($_GET['deviceID']);
$model = mysql_real_escape_string($_GET['model']);
$platform = mysql_real_escape_string($_GET['platform']);
$version = mysql_real_escape_string($_GET['version']);
$password = crypt($password, "MYSALT");

//Check login details
$loginQuery = "SELECT * FROM tblMember WHERE Username='$username'";
$loginResult = mysql_query($loginQuery);
$loggedIn = false;
$result = array();
while($row = mysql_fetch_array($loginResult))
{   
echo $row['Password'] . "=" . $password . "<BR/>";

Answer 1

From the documentation:

The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).

You can prefix your salt with certain strings to force PHP to use a different algorithm (e.g., $5$ to use SHA-256). Personally I recommend using Blowfish at a high number of rounds; consult the documentation for an example.

P.S. - You should not be using mysql in your PHP code, ever. Use the improved mysqli extension instead.