Password Encryption and mysql_real_escape_string

[stevex33]

Hi,
I'm trying to encrypt a password and also make sure it's safe to put into my database.

Should I encrypt first then use mysql_real_escape_string()?

Or should it be the otherway around?

Or would doing both be redundant?

[felgall]

Provided that the encryption process you use doesn't allow characters that need to be escaped in the result then doing both would be redundant.

[stevex33]

'll be using md5, unless you think I should use a different one.
I'm not sure if that escapes anything.

Here's what I've got at the moment:

Code:

//Assign variables to username and password
$username=$_POST['username'];
$password=$_POST['password'];


//Check to see if username or password is empty
$userIsEmpty = empty($username);
$passIsEmpty = empty($password);

//Insert a pattern to match against here, such as only alha numerics

//Encrypt password
$encryptedPassword = md5($password);

//Remove sql commands from the username and password, if they are contained in either
$safeUsername = mysql_real_escape_string($username);
$safePassword = mysql_real_escape_string($encryptedPassword);

Are my methods sound?
I realize that I haven't implemented userisempty and passis empty yet, working on it

[SJH]

md5 only ever outputs 32 alphanumeric characters so you shouldn't need to escape it

[stevex33]

Great,
thanks for that.
I suppose there's no real harm in escaping it anyway?
Would it produce any unwanted results in any circumstance if I escaped it?

I'm comming up to the part where I'm nearly ready to start inserting records, I'll need a little help to optimize, as at the moment it's a giant if statement and I doubt it's the best way to go.
I'll save that for another topic though.

[hash]

You could always use prepared statements http://nz.php.net/manual/en/pdo.prepare.php and wouldn't need to worry about escaping.