Page 1 of 1

Encryption for safety

Posted: Wed Oct 22, 2003 4:42 pm
by Aaron
At the start of every page I have this...

Code: Select all

//IF COOKIES PRESENT CHECK THE DB TO SEE IF THE USERNAME AND PASS ARE LEGIT
	if(isset($_COOKIE['username']) && isset($_COOKIE['password'])) 
	{$auth = mysql_fetch_object(mysql_query("SELECT uid, username, password, status FROM $UserDB.unz_users WHERE username = '" . $_COOKIE['username'] . "' AND password = '" . $_COOKIE['password'] . "'"));

//SET USER VARIABLES
	$user_properties['username'] = $auth->username; 
	$user_properties['uid'] = $auth->uid;
	$user_properties['status_id'] = $auth->status;}
	$user_properties['last_visit'] = $_COOKIE['last_visit'];
//SET LAST VISIT
	setcookie ("last_visit", "$time", time()+60*60*24*30,'/','.wuggawoo.co.uk', 0);
It continues todo a few more things...

I wondered what the best way of encryption would be and how would I slot it into that. Can I encrypt the username and password after the database check and then decrypt just before the query?

Posted: Wed Oct 22, 2003 10:30 pm
by JAM
There are numerous ways. I easiest and faster way I can think of is to use MD5().

This is also supported by MySQL, meaning that you can use a varchar(32) field to store passwords in the database, but before inserting them you add the md5 function;

Code: Select all

insert into table values (name, MD5(password))
If a md5($php_variable) then is the same as a "select password from table where user = 'whatever'", you have a match.

This is just an example. Other interesting approach is using crypt(). Take a peek at that page and look at the usercomments for some more ideas.

Posted: Wed Oct 22, 2003 11:11 pm
by nigma
Aaron? Yourbudaaron?

Posted: Wed Oct 22, 2003 11:39 pm
by volka
if the encrypted value is valid as password you gain nothing from encryption. Storing the encrypted password in the database prevents stealing data from the database but does not improve security neither at the transport layer nor at the client storage.

Posted: Thu Oct 23, 2003 5:53 pm
by Aaron
I however have 40 registered members, it would be a pain to do it all manually or write a script...can I not just encrpty and decrypt around the cookie?