Page 1 of 1
database password encryption + code help!
Posted: Thu Jun 18, 2009 8:25 am
by gimpact
Hi there,
I made a quick search and the result was not positives, so i am asking this,
1. Can some one please guide me how to secure password in database?
2. I have this code
Code: Select all
mysql_query("INSERT INTO userdata (name, email, activationpassword, password, validation, banned)
VALUES ($name, $email , $activationNumber, $password, 'no', 'no')");
Can some one please tell me how do i use 'if' statement to make sure that when this code is not executed, i redirect my user to some where else.
Is it possible in this way?
Code: Select all
$mysqlCommand = "INSERT INTO userdata (name, email, activationpassword, password, validation, banned)
VALUES ($name, $email , $activationNumber, $password, 'no', 'no')";
if (!mysql_query($mysqlCommand)){
// some thing
}else{
//some thing
}
Thank you,
Re: database password encryption + code help!
Posted: Thu Jun 18, 2009 11:49 am
by jgadrow
Generally, you use some sort of one-way encryption to store passwords in your database. md5 () or sha1 () are common. Also, for additional security, you can 'salt' the data with a random string. This way, two users with the same password will not have the same password hash in your database.
Just doing the following will help:
Whenever you authenticate (login) the user, you will need to compare using the same:
Code: Select all
SELECT * FROM userdata WHERE password = 'md5hashedpassword';
If you salt the password prior to hashing, you will need to use the exact same salt when authenticating. Hope that helps!
Re: database password encryption + code help!
Posted: Thu Jun 18, 2009 12:50 pm
by mischievous
Not sure what your looking for exactly... maybe my head is half dead idk... but here is a nice little encrypt function
Code: Select all
function encrypt($password)
{
$majorsalt = 'yoursaltedstring';
// if PHP5
if (function_exists('str_split'))
{
$_pass = str_split($password);
}
// if PHP4
else
{
$_pass = array();
if (is_string($password))
{
for ($i = 0; $i < strlen($password); $i++)
{
array_push($_pass, $password[$i]);
}
}
}
// encrypts every single letter of the password
foreach ($_pass as $_hashpass)
{
$majorsalt .= md5($_hashpass);
}
// encrypts the string combinations of every single encrypted letter
// and finally returns the encrypted password
return md5($majorsalt);
}
Also....
Code: Select all
$query = "INSERT INTO userdata (name, email, activationpassword, password, validation, banned)
VALUES ($name, $email , $activationNumber, $password, 'no', 'no')";
$queryexe = mysql_query($query);
if (!$query)){
// This query did not function properlly
}else{
//User has been created.
}
Re: database password encryption + code help!
Posted: Thu Jun 18, 2009 1:36 pm
by Eric!
If you keep the initialization vector in the database too can't all the passwords then be decrypted if someone were to hack into the database? I don't know if that is how mcrypt works, maybe you need another key, but I think the reason for encrypting is so the database itself is secure if copied/hacked. Just a thought.
Re: database password encryption + code help!
Posted: Thu Jun 18, 2009 8:38 pm
by gimpact
Thank you all for the help. I was looking for an answer on how to encrypt/decrypt data in database. The project that i am trying out to learn php from servlets contains simple text apart from username and password. So, i am paying attention to only these two.
However, from the above discussion, i would also like to know, if i were to encrypt/decrypt all data in a table/database, how should i go about it? I have no example to illustrate at this point but lets just assume, some thing like user name, address, private phone numbers etc.
Eric! wrote:
Of course if you don't use https://, all of this is worthless because someone can grab your plain-text username and password as you submit it from the login form.
I have never designed a site with https://, but i was told that, to use https:// on a site, i will have to transform all links in my site from
http://www.domain.com/index.html to
https://www.domain.com/index.html. I was thinking is it worth, taking all pages of a site over https: just for the sake that it is more secure?
Thank you,
Re: database password encryption + code help!
Posted: Thu Jun 18, 2009 9:59 pm
by Eric!
https is just a ssl connection, you can set this up to automatically switch to https without hard coding urls. change the .htaccess to something like
Code: Select all
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*)https://www.example.com/index.htm
There are non-mod write ways to do this to.
Anyway for the encryption: You encrypt just like Mcinfo said. You can keep a public key in the database and a private key in your script, then use those to encrypt and decrypt whatever you want. If your entire site is compromised they can find your keys and decrypt things. I bet if you google mcrypt you'll find lots of info