Jump to content

Encryption of password in database

- - - - -
Started by newphpcoder, May 05 2011 08:16 PM

  • Please log in to reply
23 replies to this topic

#1
newphpcoder
Posted 05 May 2011 - 08:16 PM

newphpcoder

    Programming Professional

  • Members
  • PipPipPipPipPipPip
  • 479 posts
Good day!

I created a simple login form. I want to know is how can encrypt the password that i already in the database. Because I have no register form only login form so that the username and password is already in the database. My problem is how can I encrypt my password, when I research about encryption of password they used md5 but when I tried it it did not encrypt my password and i got an error. and also when I input my password at textbox like for example my password is "qwerty" when I type it on the password textbox it shows qwerty i want to happen is it likes a bullet?

here is my login code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Untitled Document</title>

</head>


<body>

<form id="form1" name="form1" method="post" action="">

  <p>

    <label for="username">Username: </label>

    <input type="text" name="username" id="username" />

  </p>

  <p>

    <label for="password">Password: </label>

    <input type="text" name="password" id="password" />

  </p>

  <p>					

    <input type="submit" name="submit" id="submit" value="Submit" />

  </p>

  

<?php

include 'connection.php';


 if (isset($_POST['submit'])) {

$username=$_POST['username']; 

$password=$_POST['password'];



$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);



/*$username = stripslashes($username);

$password = stripslashes($password);

$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);*/

//$password = md5($password);


$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){  

header("location:machine1.php");

}

else {

echo "Wrong Username or Password";

}

}

?>

</form>

</body>

</html>


Thank you

#2
Alexander
Posted 05 May 2011 - 08:38 PM

Alexander

    It's Science!

  • Moderators
  • 4,124 posts
  • Location:Vancouver, Eh! Cleverness: 200
I would recommend you use sha1() instead of md5, and apply a salt*, i.e. 
$password = sha1($_POST['password'] . 'known-salt');
This would allow the passwords to be stored in hashed form in the database, and check the user input by applying this known salt each time in to the password query.

You will need to have the password field become forty characters to store the SHA1 plaintext password.

I assume if you wish to convert all plain passwords to hashed, you could run it in a loop after altering the table to increase the length.

*A random value prevents most precomputed hash lookups
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.

#3
newphpcoder
Posted 05 May 2011 - 08:49 PM

newphpcoder

    Programming Professional

  • Members
  • PipPipPipPipPipPip
  • 479 posts

Alexander said:

I would recommend you use sha1() instead of md5, and apply a salt*, i.e. 
$password = sha1($_POST['password'] . 'known-salt');
This would allow the passwords to be stored in hashed form in the database, and check the user input by applying this known salt each time in to the password query.

You will need to have the password field become forty characters to store the SHA1 plaintext password.

I assume if you wish to convert all plain passwords to hashed, you could run it in a loop after altering the table to increase the length.

*A random value prevents most precomputed hash lookups
How can I do this in my previous code?

#4
newphpcoder
Posted 05 May 2011 - 08:52 PM

newphpcoder

    Programming Professional

  • Members
  • PipPipPipPipPipPip
  • 479 posts
I'm not familiar with sha1...

when I tried to used md5 the password was not read so that the condition falls to else statement.

here is my code with md5

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Untitled Document</title>

</head>


<body>

<form id="form1" name="form1" method="post" action="">

  <p>

    <label for="username">Username: </label>

    <input type="text" name="username" id="username" />

  </p>

  <p>

    <label for="password">Password: </label>

    <input type="password" name="password" id="password" />

  </p>

  <p>					

    <input type="submit" name="submit" id="submit" value="Submit" />

  </p>

  

<?php

include 'connection.php';


 if (isset($_POST['submit'])) {

$username=$_POST['username']; 

$password=$_POST['password'];

$password = md5($password);


$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);


/*$username = stripslashes($username);

$password = stripslashes($password);

$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);*/

//$password = md5($password);


//$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";

//$result=mysql_query($sql);

//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = $username");

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){  

header("location:machine1.php");

}

else {

echo "Wrong Username or Password";

}

}

?>

</form>

</body>

</html>

#5
Alexander
Posted 05 May 2011 - 09:15 PM

Alexander

    It's Science!

  • Moderators
  • 4,124 posts
  • Location:Vancouver, Eh! Cleverness: 200
The password would have to be MD5 inside the database for it to match, otherwise you are matching a hash against a plain password.

As for SHA1, it is used exactly the same how MD5 is used, there is nothing new there. MD5 can be cracked in seconds by older computers (http://eprint.iacr.org/2009/223.pdf)
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.

#6
newphpcoder
Posted 05 May 2011 - 09:21 PM

newphpcoder

    Programming Professional

  • Members
  • PipPipPipPipPipPip
  • 479 posts
I tried this code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Untitled Document</title>

</head>


<body>

<form id="form1" name="form1" method="post" action="">

  <p>

    <label for="username">Username: </label>

    <input type="text" name="username" id="username" />

  </p>

  <p>

    <label for="password">Password: </label>

    <input type="password" name="password" id="password" />

  </p>

  <p>					

    <input type="submit" name="submit" id="submit" value="Submit" />

  </p>

  

<?php

include 'connection.php';


 if (isset($_POST['submit'])) {

$username=$_POST['username']; 

$password=md5($_POST['password']);


//$password = '051090';


//$password = md5($password);


$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);

//$password = mysql_real_escape_string(sha1($password)); 


/*$username = stripslashes($username);

$password = stripslashes($password);

$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);*/

//$password = md5($password);



//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";


$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";

//$result=mysql_query($sql);

//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = $username");


//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'"; 

//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){  

header("location:machine1.php");

}

else {

echo "Wrong Username or Password";

}

}

?>

</form>

</body>

</html>

and the result is:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\machine_1\index.php on line 54
Wrong Username or Password

#7
Alexander
Posted 05 May 2011 - 09:23 PM

Alexander

    It's Science!

  • Moderators
  • 4,124 posts
  • Location:Vancouver, Eh! Cleverness: 200
You've no single quotes around username, so the query likely failed and returned false. This is why mysql_num_rows is throwing an error.
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.

#8
newphpcoder
Posted 05 May 2011 - 09:31 PM

newphpcoder

    Programming Professional

  • Members
  • PipPipPipPipPipPip
  • 479 posts
I add single quote but still the condition falls on else statement which s wrong username or password

#9
Alexander
Posted 05 May 2011 - 09:37 PM

Alexander

    It's Science!

  • Moderators
  • 4,124 posts
  • Location:Vancouver, Eh! Cleverness: 200
I believe you had not understood what the benefit of hashing is.

If you store plain passwords in the database, and it were to be somehow retrieved by a user their passwords would fall in to the hands of somebody who could impersonate or otherwise do damage.

This is why you should store hashes in the database instead of passwords. The hash A3fe201facb0a is (relatively) worthless to the attacker if that is all that is stored in the database.

You must translate all your passwords to either MD5 or (preferably SHA1) so that it can be successfully matched when the user enters their password. The steps would be:

User John enters password reddog21
Page accepts reddog21
Page hashes to 6c0cbf5029aed0af395ac4b864c6b095
Page queries database to check if John has password 6c0cbf5029aed0af395ac4b864c6b095
Page either matches successfully, or claims their password is incorrect

As you see, the user's password is safe as in it is not in the database, although you still have to have it all hashed.
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.

#10
newphpcoder
Posted 05 May 2011 - 09:47 PM

newphpcoder

    Programming Professional

  • Members
  • PipPipPipPipPipPip
  • 479 posts
I check my database and i see that my password is already encrypted.

my problem now is even my password and username is correct i fall in wrong username and password.

Kindly check my codes what is wrong?waht is not needed?


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Untitled Document</title>

</head>


<body>

<form id="form1" name="form1" method="post" action="">

  <p>

    <label for="username">Username: </label>

    <input type="text" name="username" id="username" />

  </p>

  <p>

    <label for="password">Password: </label>

    <input type="password" name="password" id="password" />

  </p>

  <p>					

    <input type="submit" name="submit" id="submit" value="Submit" />

  </p>

  

<?php

include 'connection.php';


 if (isset($_POST['submit'])) {

$username=$_POST['username']; 

$password=md5($_POST['password']);


//$password = '051090';


//$password = md5($password);


$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);

//$password = mysql_real_escape_string(sha1($password)); 


/*$username = stripslashes($username);

$password = stripslashes($password);

$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);*/

//$password = md5($password);



//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";


//$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";

//$result=mysql_query($sql);

mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");


$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'"; 

//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){  

header("location:machine1.php");

}

else {

echo "Wrong Username or Password";

}

}

?>

</form>

</body>

</html>

#11
Alexander
Posted 05 May 2011 - 09:56 PM

Alexander

    It's Science!

  • Moderators
  • 4,124 posts
  • Location:Vancouver, Eh! Cleverness: 200
You're hashing twice the password, it is the same as entering md5(md5($password)) in to the query.
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.

#12
newphpcoder
Posted 05 May 2011 - 09:57 PM

newphpcoder

    Programming Professional

  • Members
  • PipPipPipPipPipPip
  • 479 posts
I change my table in my database and now the password is not encrypted.

here is my code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Untitled Document</title>

</head>


<body>

<form id="form1" name="form1" method="post" action="">

  <p>

    <label for="username">Username: </label>

    <input type="text" name="username" id="username" />

  </p>

  <p>

    <label for="password">Password: </label>

    <input type="password" name="password" id="password" />

  </p>

  <p>					

    <input type="submit" name="submit" id="submit" value="Submit" />

  </p>

  

<?php

include 'connection.php';


 if (isset($_POST['submit'])) {

$username=$_POST['username']; 

$password=($_POST['password']);




$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);

//$password = mysql_real_escape_string(sha1($password)); 




//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";


$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";

//$result=mysql_query($sql);

//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");


//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'"; 

//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";


$hashed_pass = md5($password); 

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";

$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){  

header("location:machine1.php");

}

else {

echo "Wrong Username or Password";

}

}

?>

</form>

</body>

</html>

Kindly check my sql syntax?
thank you
Back to PHP Development


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users



  1. CODECALL Programming Forum
  2. Web Development Forum
  3. PHP Development
IPB skins by Skinbox