SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password Encryption and mysql_real_escape_string

    Hi,
    I'm trying to encrypt a password and also make sure it's safe to put into my database.

    Should I encrypt first then use mysql_real_escape_string()?

    Or should it be the otherway around?

    Or would doing both be redundant?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,607
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Provided that the encryption process you use doesn't allow characters that need to be escaped in the result then doing both would be redundant.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    'll be using md5, unless you think I should use a different one.
    I'm not sure if that escapes anything.

    Here's what I've got at the moment:

    Code:
    //Assign variables to username and password
    $username=$_POST['username'];
    $password=$_POST['password'];
    
    
    //Check to see if username or password is empty
    $userIsEmpty = empty($username);
    $passIsEmpty = empty($password);
    
    //Insert a pattern to match against here, such as only alha numerics
    
    //Encrypt password
    $encryptedPassword = md5($password);
    
    //Remove sql commands from the username and password, if they are contained in either
    $safeUsername = mysql_real_escape_string($username);
    $safePassword = mysql_real_escape_string($encryptedPassword);
    Are my methods sound?
    I realize that I haven't implemented userisempty and passis empty yet, working on it

  4. #4
    SitePoint Wizard
    Join Date
    Mar 2002
    Location
    Bristol, UK
    Posts
    2,240
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    md5 only ever outputs 32 alphanumeric characters so you shouldn't need to escape it

  5. #5
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    328
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great,
    thanks for that.
    I suppose there's no real harm in escaping it anyway?
    Would it produce any unwanted results in any circumstance if I escaped it?

    I'm comming up to the part where I'm nearly ready to start inserting records, I'll need a little help to optimize, as at the moment it's a giant if statement and I doubt it's the best way to go.
    I'll save that for another topic though.

  6. #6
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could always use prepared statements http://nz.php.net/manual/en/pdo.prepare.php and wouldn't need to worry about escaping.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •