Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Encryption of password in database

encryption

  • Please log in to reply
23 replies to this topic

#13 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 05 May 2011 - 10:00 PM

Why are you overwriting their password in an UPDATE query with MD5('password')? That would make the password the hash of 'password' (not $password) and would not match.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#14 newphpcoder

newphpcoder

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 527 posts

Posted 05 May 2011 - 10:08 PM

how can i correct it?
  • 0

#15 newphpcoder

newphpcoder

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 527 posts

Posted 05 May 2011 - 10:18 PM

I tried this simple code for encryption of password:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=md5($_POST['password']);



$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password));



//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'";
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

//$hashed_pass = md5($password);
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>


but the result is wrong username or password?and also the password in the database was not encrypted.

I really need to solved it now...

Thank you so much
  • 0

#16 newphpcoder

newphpcoder

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 527 posts

Posted 05 May 2011 - 10:40 PM

When I tried this code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];


// encrypt password
$encrypted_mypassword=md5($password);

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}


//$username = mysql_real_escape_string($username);

//$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password));



//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'";
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

//$hashed_pass = md5($password);
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
//$result=mysql_query($sql);


?>
</form>
</body>
</html>


when i run my login
the wrong username or password was display even though I am inputting anything in username and password and also when i input username and password still wrong username or password.
:crying:

I really don't know how can I fix my problem in encrypting password and login successfully.

Thank you for your help
  • 0

#17 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 09 May 2011 - 10:14 AM

I believe in your last queries you had overwritten your password with something else, that is likely why your password is incorrect. Try rehashing and manually adding it to the database (such as deleting the entry and registering again) then trying it. Your code seems correct.

You should really have something such as PHPMyAdmin to look through the table structure and be able to run test queries, you can discover many things like that of which we may not be able to.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#18 newphpcoder

newphpcoder

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 527 posts

Posted 09 May 2011 - 07:48 PM

Thank you for your suggestion and advice
  • 0

#19 RHochstenbach

RHochstenbach

    CC Resident

  • Advanced Member
  • PipPipPipPip
  • 56 posts

Posted 10 May 2011 - 09:41 AM

If you have PHP 5.1.2 or higher, you could even use SHA-512 encryption. You can use that one as follows:

$password = "password";
$encrypted_mypassword = hash("sha512", $password);

  • 0

#20 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 10 May 2011 - 09:59 AM

If you have PHP 5.1.2 or higher, you could even use SHA-512 encryption. You can use that one as follows:


$password = "password";
$encrypted_mypassword = hash("sha512", $password);


That could work, although is generally not worth the reduced performance and increased table size on high traffic systems to have just a higher has word size. SHA1 is equally secure in this context.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#21 rySch

rySch

    CC Lurker

  • Just Joined
  • Pip
  • 8 posts

Posted 13 May 2011 - 12:13 PM

You could go a bit OTT and do this:

$pass = abc123; //user enter password
$sail = "1Dat0p";// your defined salt
$encrypt_pass = sha1($pass.$salt); //encrypt with sha1
for($i=0;$i<=12;$i++){
$encrypt_pass = $md5($encrypt_pass);//encrypt the sha1 a random number of times with md5
}
$new_encrypt = substr(substr($encrypt_pass,0,-5),5);//take off the last 5 and first 5 characters
$new_encrypt = 'rd2d3'.$encrypt_pass.'p98k7; //add in your known first 5 and last 5 characters


purely speculation.
(btw im new to the boards :), and find security issues fun have plently of beginner to complex ways to encrypt data - will post when i get time to).

Ryan,
  • 0

#22 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 13 May 2011 - 01:05 PM

You could go a bit OTT and do this:
[...]

purely speculation.
(btw im new to the boards :), and find security issues fun have plently of beginner to complex ways to encrypt data - will post when i get time to).

Ryan,


Your syntax would not seem to be valid, and although iterations of MD5 would look more secure it simply is too weak an algorithm.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#23 rySch

rySch

    CC Lurker

  • Just Joined
  • Pip
  • 8 posts

Posted 13 May 2011 - 02:40 PM

syntax isnt correct because that only part of a bigger script.

The md5 is week yes, but the reason for using it, is because its less intensive server side.
the md5 is more about mixing the hashed code up.

The bit that makes it secure is the sha1, salt and then changed a few of the characters for pre defined or dynamicly generated ones.
  • 0

#24 newphpcoder

newphpcoder

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 527 posts

Posted 18 May 2011 - 08:12 PM

Thank you...
  • 0





Also tagged with one or more of these keywords: encryption

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download