| SitePoint Sponsor |
Hi guys
I am creating a login system and I am using some of the code offered in Build Your Own Database Driven Website Using PHP & MySql but I would like to encrypt the password INSIDE the mysql.
Is it possible to do that?
What format (etc. BLOB/BINARY) should the passwd column in Mysql be? And how can I encrypt/decrypt the passwd from mysql (for saving and when logging in)
Please let me know as I would like to know more about Log-in system in PHP (& Mysql)
Sincerely:
Jonatan
Jonatan Nilsson
Iceland
C# Programmer - XML & DirectX (y = hx + c)
What I do is use a VARCHAR field and do an md5() encryption on the user's password before it gets stored in the DB. This generates a 32-char string using the MD5 algorithm. Unless you have an algorithm that decrypts MD5 strings then the password is secure.
md5 ('string') always returns the same 32-char result depnedent on what is the value of 'string'.
To add security to the password. You can be appending some characters before you encrypt the data. This is neccessary so that it cannot be easily decrypted.
likePHP Code:<?php
$pass=$_POST['password'];
encr_pass=md5($pass."12ij");
//insert into db
?>
Power of Knowledge
for variaty there is other methods such as this one I use
the resulting password in the database is more dependent on the mysql version ... on mysql 5.0 {which is the version I use} the resulting password is 42Char longPHP Code:$pw=$_POST['password'];
$password=sha1(md5($pw) . $pw);
$SQL="INSERT INTO user (username, password) VALUES ('" . sanitize_paranoid_string($_POST['username']) . "', PASSWORD('$password'))";
So I should be able to do something like this as an example:
Also one thing I have in mind is that if I have encrypted the value in MySql, how should I compare. Should I encrypt the password typed and then compare normally with the encrypted value in MySql?PHP Code:$pass = $_POST['password'];
$encr = md5($pass . "1o1r0fl");
//access and get password from db and store as etc. $userpass
if ($encr == $userpass)
//stuff
else
//Wrong password
Please let me know and thanks for all the advices
Last edited by blackman890; Mar 22, 2006 at 15:45.
Jonatan Nilsson
Iceland
C# Programmer - XML & DirectX (y = hx + c)
Yeah you need to ecrypt the typed in pass and compare with one in the db
Power of Knowledge
Yes you take the password the user has used to login md5 it and compare it to the database password. So it would look something like this:
PHP Code:<?php
//$databasepass is the encrypted password being displayed from the database
$password = $_POST['password'];
$md5pass = md5($password);
if($md5pass == $databasepass){
//The passwords match
}else{
//Wrong password
}
?>
Sean @ Pixel Inception, Inc. www.pixelinception.net
Web Design & Web Development
I am not able to Understand why r u using "sanitize_paranoid_string()" wht is this. is it a php function?Originally Posted by whytewolf
if it is then i am not able to find it at http://www.php.net
and Can u explain this code more clearly.
Posting Permissions
Bookmarks