Page 1 of 1
password decyption...anyone?
Posted: Mon Feb 07, 2005 1:23 am
by pleigh
hi there,
i was able to encrypt password through password() function...is there any function in PHP where you can decrypt password?
thanks
pleigh

Posted: Mon Feb 07, 2005 1:33 am
by Chris Corbyn
What's the password() function?... I can't see it anywhere in the manual on php.net. Did you get a code snippet for this? If you post the function snippet then it's probably easy to decrypt

Posted: Mon Feb 07, 2005 1:57 am
by feyd
I believe pleigh is talking about the MySQL PASSWORD() function.. ::
http://dev.mysql.com/doc/mysql/en/encry ... tions.html
Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application.
Posted: Mon Feb 07, 2005 1:57 am
by pleigh
got it from the book

Posted: Mon Feb 07, 2005 2:00 am
by feyd
which book? post the code to the function. We're not here to guess at what you are talking about, please be specific.
Posted: Mon Feb 07, 2005 2:01 am
by pleigh
thanks feyd. u have an idea of decrypting it?
Posted: Mon Feb 07, 2005 2:08 am
by pleigh
here's the summary of my register page:
Code: Select all
if (empty($_POSTї'password1']))
{
$pw = FALSE;
$message .= 'Enter your password!<br>';
}
else
{
if ($_POSTї'password1'] == $_POSTї'password2'])
{
$pw = $_POSTї'password1'];
}
else
{
echo 'Your password did not match the confirmed password!<br>';
}
}
if ($fn && $ln && $un && $pw && $e)
{
$query = "INSERT INTO users(firstname, lastname, username, password, email)
values('$fn','$ln','$un', '$pw', '$e')";
$result = @mysql_query($query);
if ($result)
{
echo '<b>You have been registered</b><br>';
exit();
}
else
{
$message = 'You could not be registered due to system error.<br>'.mysql_error();
}
and here's my login page:
Code: Select all
if (empty($_POSTї'password']))
{
$pw = FALSE;
$message .= 'Please enter your password!<br>';
}
else
{
$pw = stripslashes($_POSTї'password']);
}
//if username and password OK...
if ($un && $pw)
{
$query = "SELECT userID, firstname FROM users WHERE username='$un' AND password='$pw'";
$result = @mysql_query ($query);
$row = mysql_fetch_array ($result, MYSQL_NUM);
if ($row)
{ $_SESSIONї'firstname'] = $rowї1];
$_SESSIONї'userID'] = $rowї0];
header ("Location: http://" . $_SERVERї'HTTP_HOST'] . dirname($_SERVERї'PHP_SELF']) . "/template.php");
exit();
}
else
{
$message = 'The username and password entered do not match.<br>';
}
the problem is, i can encrypt the password during registration using passwor(), but when i log in, i cannot access the next page for password mismatch...
thanks
pleigh
Posted: Mon Feb 07, 2005 2:18 am
by pleigh
oopss!!!sori, i haven't used the password encryotion yet...but i used the password() like:
in login page:
їcode]
$query = "SELECT userID, firstname FROM users WHERE username='$un' AND password='$pw'";
ї/code]
and register page:
їcode]
$query = "INSERT INTO users(firstname, lastname, username, password, email)
values('$fn','$ln','$un', PASSWORD('$pw)', '$e')";
ї/code][/quote]
Posted: Mon Feb 07, 2005 2:25 am
by feyd
did you read the note I quoted? at any rate, the selection should be done against the password like so:
Code: Select all
SELECT `userID`, `firstname` FROM `users` WHERE `username` = '$un' AND `password` = PASSWORD('$pw')
Posted: Mon Feb 07, 2005 2:34 am
by pleigh
now i'm really confused...sori...
Posted: Mon Feb 07, 2005 2:41 am
by feyd
you don't decrypt it, you test the already encrypted string, against the submitted password after passing it through the same encryption.
Posted: Mon Feb 07, 2005 2:45 am
by timvw
btw, i really suggest you to read the MySQL manual.. Because it has some things to say about that PASSWORD function.. (As in that it's not a good idea to use it...)
http://dev.mysql.com/doc/mysql/en/encry ... tions.html