Dream.In.Code > Programming Help > PHP

Welcome to Dream.In.Code
	Getting PHP Help is Easy! Join 136,500 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,754 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a PHP Expert

Encrypting passwords on registration and login

Reply to this topic

Start new topic

Encrypting passwords on registration and login

jeansymolanza	26 Feb, 2008 - 10:21 AM Post #1
New D.I.C Head Joined: 20 Feb, 2008 Posts: 34 My Contributions	My "I Love Physics" site is almost done but currently I have concerns over security. Even though its just a school site for my Physics teacher, I am worried that the user passwords could easily be attained by "dodgy" personnel. So I would like to store encrypted passwords on the database. How does one go about using the md5 function? CODE <? //connect to database// $db_name="ilovephysics"; $connection = @mysql_connect("localhost","root","password") or die(mysql_error()); $db = @mysql_select_db($db_name,$connection) or die(mysql_error()); //collect data from previous page and assign to variables// $title=$_POST['title']; $fname=$_POST['firstname']; $lname=$_POST['lastname']; $email=$_POST['emailaddress']; $password=$_POST['password']; $add1=$_POST['streetaddress1']; $add2=$_POST['streetaddress2']; $bdate=$_POST['birthdate']; $bmonth=$_POST['birthmonth']; $byear=$_POST['birthyear']; $pcode=$_POST['postcode']; $town=$_POST['town']; $county=$_POST['county']; $cnumber=$_POST['contactnumber']; $squestion=$_POST['secretquestion']; $sanswer=$_POST['secretanswer']; //assign SQL query to a variable// $sql="INSERT INTO tbl_users (title, fname, lname, add1, add2, bdate, bmonth, byear, pcode, town, county, cnumber, squestion, sanswer, email, password) VALUES ('$title', '$fname', '$lname', '$add1', '$add2', '$bdate', '$bmonth', '$byear', '$pcode', '$town', '$county', '$cnumber', '$squestion', '$sanswer', '$email', '$password'"; //run the query// $result=@mysql_query($sql) or die(mysql_error()); ?> To complicate matters for myself slightly I also have a "View User" page for admin which echos the users password. CODE <? //connect to database// $db_name = "ilovephysics"; $connection = @mysql_connect("localhost","root","password") or die(mysql_error()); $db= @mysql_select_db($db_name,$connection) or die(mysql_error()); $id=$_GET['ID']; //assign a SQL query text to a variable// $sql="SELECT id, admin, title, fname, lname, add1, add2, bdate, bmonth, byear, pcode, town, county, cnumber, squestion, sanswer, email, password FROM tbl_users WHERE ID=$id;"; //run the query and assign all the rows that are returned to the variable $result// $result = @mysql_query($sql) or die(mysql_error()); //count the number of rows in the output// $numrows=mysql_numrows($result); //each time the loop executes, assign a value from the database to the variables// $admin=mysql_result($result,$i,"admin"); $title=mysql_result($result,$i,"title"); $fname=mysql_result($result,$i,"fname"); $lname=mysql_result($result,$i,"lname"); $add1=mysql_result($result,$i,"add1"); $add2=mysql_result($result,$i,"add2"); $bdate=mysql_result($result,$i,"bdate"); $bmonth=mysql_result($result,$i,"bmonth"); $byear=mysql_result($result,$i,"byear"); $pcode=mysql_result($result,$i,"pcode"); $town=mysql_result($result,$i,"town"); $county=mysql_result($result,$i,"county"); $cnumber=mysql_result($result,$i,"cnumber"); $squestion=mysql_result($result,$i,"squestion"); $sanswer=mysql_result($result,$i,"sanswer"); $email=mysql_result($result,$i,"email"); $password=mysql_result($result,$i,"password"); ?> Here is the echo: CODE <td>Password</td> <td><? echo "$password"; ?></td> Upon using the md5 function would I need to remove this password feature? Or is there a way to "un"encrypt the password and display it on the View User page in its normal form. CODE <?php require_once('../Connections/ilovephysics.php'); ?><?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['email'])) { $loginUsername=$_POST['email']; $password=$_POST['password']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "../buy/user.php"; $MM_redirectLoginFailed = "loginfail.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_ilovephysics, $ilovephysics); $LoginRS__query=sprintf("SELECT email, password FROM tbl_users WHERE email='%s' AND password='%s'", get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); $LoginRS = mysql_query($LoginRS__query, $ilovephysics) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> The last bit of problem lies within the login page. So the user enters in their password. The password entered needs to be encrypted and compared against the encrypted password in the database. How would I go about this? I've only started learning PHP this year and its taking time to get the hang of it. I'd appreciate any help offered in attaining a solution. Thanking you in advance.
	This Post Was Helpful!


Register for Free to Make These Ads Go Away!

k0b13r	RE: Encrypting Passwords On Registration And Login 26 Feb, 2008 - 02:01 PM Post #2
D.I.C Head Joined: 18 Jul, 2006 Posts: 196 Thanked: 1 times Dream Kudos: 250 My Contributions	You can't hash-back things that are encrypted with MD5. For security reasons you should hash password, and than save it do DB. When you're authorizing user, use MD5 again on inputted password, if it matches this one in DB it should be ok. But MD5 isn't very secure, instead of (example) CODE md5($password); you should use CODE md5("$salt + $password"); where $salt is something constant, your choice. And, showing password on 'View profile' page isn't good idea in my opinion (someone can be behind and read your password ...) If you need, I can write example code comparing password from input and database for you. I hope it helps a bit This post has been edited by k0b13r: 26 Feb, 2008 - 02:21 PM
	This Post Was Helpful!

SpaceMan	RE: Encrypting Passwords On Registration And Login 26 Feb, 2008 - 05:18 PM Post #3
D.I.C Regular Joined: 20 Feb, 2003 Posts: 270	md5 is a hash, can not gotten out. can only be reset/changed encrypt is a 2 way. i am curious why you choose to use mysql_result in this way? this would do same thing, in one query. CODE $row=mysql_fetch_assoc($result); extract($row); This post has been edited by SpaceMan: 27 Feb, 2008 - 04:18 AM
	This Post Was Helpful!

jeansymolanza	RE: Encrypting Passwords On Registration And Login 26 Feb, 2008 - 11:28 PM Post #4
New D.I.C Head Joined: 20 Feb, 2008 Posts: 34 My Contributions	QUOTE(k0b13r @ 26 Feb, 2008 - 03:01 PM) You can't hash-back things that are encrypted with MD5. For security reasons you should hash password, and than save it do DB. When you're authorizing user, use MD5 again on inputted password, if it matches this one in DB it should be ok. But MD5 isn't very secure, instead of (example) CODE md5($password); you should use CODE md5("$salt + $password"); where $salt is something constant, your choice. And, showing password on 'View profile' page isn't good idea in my opinion (someone can be behind and read your password ...) If you need, I can write example code comparing password from input and database for you. I hope it helps a bit Thanks! So I'll remove the "password view" feature from the view profile page completely, meaning passwords can only be reset and not recovered if it comes to it. Example code would help me get started. Thank you yet again. QUOTE(SpaceMan @ 26 Feb, 2008 - 06:18 PM) md5 is a hash, can not gotten out. can only be reset/changed encrypt is a 2 way. i am curious why you choose to use mysql_result in this way? this would do same thing, in one query. CODE $row=mysql_fetch_assoct($result); extract($row); The sample code given during our introductory PHP lessons in class were in that format. I've used it on all of my pages.
	This Post Was Helpful!

k0b13r	RE: Encrypting Passwords On Registration And Login 27 Feb, 2008 - 02:41 AM Post #5
D.I.C Head Joined: 18 Jul, 2006 Posts: 196 Thanked: 1 times Dream Kudos: 250 My Contributions	On most sites in Internet you can't recover passwords, only reset them (when forgotten), I think it's good way for usability and security in one time I was glad to help ;-)
	This Post Was Helpful!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 12/2/08 08:12PM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live PHP Help!

PHP Tutorials

Reference Sheets

PHP Snippets

DIC Chatroom

Join our IRC Chat

Bye Bye Ads

Monthly Drawing

Top Contributors

Top 10 Kudos This Month

sharpy (50)
KYA (50)