Page 1 of 1

database password encryption + code help!

Posted: Thu Jun 18, 2009 8:25 am
by gimpact
Hi there,
I made a quick search and the result was not positives, so i am asking this,

1. Can some one please guide me how to secure password in database?

2. I have this code

Code: Select all

mysql_query("INSERT INTO userdata (name, email, activationpassword, password, validation, banned)
            VALUES ($name, $email , $activationNumber, $password, 'no', 'no')");
Can some one please tell me how do i use 'if' statement to make sure that when this code is not executed, i redirect my user to some where else.

Is it possible in this way?

Code: Select all

$mysqlCommand = "INSERT INTO userdata (name, email, activationpassword, password, validation, banned)
            VALUES ($name, $email , $activationNumber, $password, 'no', 'no')";
if (!mysql_query($mysqlCommand)){
// some thing
}else{
//some thing
}
 
Thank you,

Re: database password encryption + code help!

Posted: Thu Jun 18, 2009 11:49 am
by jgadrow
Generally, you use some sort of one-way encryption to store passwords in your database. md5 () or sha1 () are common. Also, for additional security, you can 'salt' the data with a random string. This way, two users with the same password will not have the same password hash in your database.

Just doing the following will help:

Code: Select all

$password = md5 ($password);
Whenever you authenticate (login) the user, you will need to compare using the same:

Code: Select all

SELECT * FROM userdata WHERE password = 'md5hashedpassword';
If you salt the password prior to hashing, you will need to use the exact same salt when authenticating. Hope that helps!

Re: database password encryption + code help!

Posted: Thu Jun 18, 2009 12:50 pm
by mischievous
Not sure what your looking for exactly... maybe my head is half dead idk... but here is a nice little encrypt function :dubious:

Code: Select all

 
function encrypt($password)
    {
        $majorsalt = 'yoursaltedstring';
        // if PHP5
        if (function_exists('str_split'))
        {
            $_pass = str_split($password);
        }
        // if PHP4
        else
        {
            $_pass = array();
            if (is_string($password))
            {
                for ($i = 0; $i < strlen($password); $i++)
                {
                    array_push($_pass, $password[$i]);
                }
            }
        }
        // encrypts every single letter of the password
        foreach ($_pass as $_hashpass)
        {
            $majorsalt .= md5($_hashpass);
        }
        // encrypts the string combinations of every single encrypted letter
        // and finally returns the encrypted password
        return md5($majorsalt);
    }
Also....

Code: Select all

$query = "INSERT INTO userdata (name, email, activationpassword, password, validation, banned)
            VALUES ($name, $email , $activationNumber, $password, 'no', 'no')";
$queryexe = mysql_query($query);
 
if (!$query)){
// This query did not function properlly
}else{
//User has been created.
}

Re: database password encryption + code help!

Posted: Thu Jun 18, 2009 1:36 pm
by Eric!
If you keep the initialization vector in the database too can't all the passwords then be decrypted if someone were to hack into the database? I don't know if that is how mcrypt works, maybe you need another key, but I think the reason for encrypting is so the database itself is secure if copied/hacked. Just a thought.

Re: database password encryption + code help!

Posted: Thu Jun 18, 2009 8:38 pm
by gimpact
Thank you all for the help. I was looking for an answer on how to encrypt/decrypt data in database. The project that i am trying out to learn php from servlets contains simple text apart from username and password. So, i am paying attention to only these two.

However, from the above discussion, i would also like to know, if i were to encrypt/decrypt all data in a table/database, how should i go about it? I have no example to illustrate at this point but lets just assume, some thing like user name, address, private phone numbers etc.
Eric! wrote: Of course if you don't use https://, all of this is worthless because someone can grab your plain-text username and password as you submit it from the login form.
I have never designed a site with https://, but i was told that, to use https:// on a site, i will have to transform all links in my site from http://www.domain.com/index.html to https://www.domain.com/index.html. I was thinking is it worth, taking all pages of a site over https: just for the sake that it is more secure?

Thank you,

Re: database password encryption + code help!

Posted: Thu Jun 18, 2009 9:59 pm
by Eric!
https is just a ssl connection, you can set this up to automatically switch to https without hard coding urls. change the .htaccess to something like

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*)https://www.example.com/index.htm
There are non-mod write ways to do this to.

Anyway for the encryption: You encrypt just like Mcinfo said. You can keep a public key in the database and a private key in your script, then use those to encrypt and decrypt whatever you want. If your entire site is compromised they can find your keys and decrypt things. I bet if you google mcrypt you'll find lots of info