Encryption for safety

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Aaron
Forum Commoner
Posts: 82
Joined: Sun May 12, 2002 2:51 pm

Encryption for safety

Post by Aaron »

At the start of every page I have this...

Code: Select all

//IF COOKIES PRESENT CHECK THE DB TO SEE IF THE USERNAME AND PASS ARE LEGIT
	if(isset($_COOKIE['username']) && isset($_COOKIE['password'])) 
	{$auth = mysql_fetch_object(mysql_query("SELECT uid, username, password, status FROM $UserDB.unz_users WHERE username = '" . $_COOKIE['username'] . "' AND password = '" . $_COOKIE['password'] . "'"));

//SET USER VARIABLES
	$user_properties['username'] = $auth->username; 
	$user_properties['uid'] = $auth->uid;
	$user_properties['status_id'] = $auth->status;}
	$user_properties['last_visit'] = $_COOKIE['last_visit'];
//SET LAST VISIT
	setcookie ("last_visit", "$time", time()+60*60*24*30,'/','.wuggawoo.co.uk', 0);
It continues todo a few more things...

I wondered what the best way of encryption would be and how would I slot it into that. Can I encrypt the username and password after the database check and then decrypt just before the query?
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

There are numerous ways. I easiest and faster way I can think of is to use MD5().

This is also supported by MySQL, meaning that you can use a varchar(32) field to store passwords in the database, but before inserting them you add the md5 function;

Code: Select all

insert into table values (name, MD5(password))
If a md5($php_variable) then is the same as a "select password from table where user = 'whatever'", you have a match.

This is just an example. Other interesting approach is using crypt(). Take a peek at that page and look at the usercomments for some more ideas.
User avatar
nigma
DevNet Resident
Posts: 1094
Joined: Sat Jan 25, 2003 1:49 am

Post by nigma »

Aaron? Yourbudaaron?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

if the encrypted value is valid as password you gain nothing from encryption. Storing the encrypted password in the database prevents stealing data from the database but does not improve security neither at the transport layer nor at the client storage.
Aaron
Forum Commoner
Posts: 82
Joined: Sun May 12, 2002 2:51 pm

Post by Aaron »

I however have 40 registered members, it would be a pain to do it all manually or write a script...can I not just encrpty and decrypt around the cookie?
Post Reply