Store passwords in DB

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
hmsg
Forum Commoner
Posts: 42
Joined: Sun May 14, 2006 9:48 am

Store passwords in DB

Post by hmsg »

Hello ppl

I have a form in php that i'm using to keep some users data, like Name, birthdate, username and password.

How do i store my password in a mysql table, but in a way that someone who make a select directely in command line could not see the password.? Is there anyway to encrypt the password when i'm making the insert in my .php form?


With the best regards

Hugo Gomes
User avatar
dude81
Forum Regular
Posts: 509
Joined: Mon Aug 29, 2005 6:26 am
Location: Pearls City

Post by dude81 »

Look at php md5 or mysql md5 :wink:
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Yes its called a hash. In PHP there is a function md5() you can use it to irreservibly encode any amount of text. What you should do is use it on a password when it is first set (at registration or something) then store it in the database. Then at login time you can use it on the given password then and compare it with the one in the database but you can never find out what the actual password was.

Actually that's not entirely true you can find out what it was by systemically guessing and hashing lots of stuff so it is important that passwords are not easily guessable.

It important security you can use a salt, which is to add some random stuff to the password at both registration and login but keep that data completely hidden inside your application code.

Code: Select all

// Login
$salt = 'e8y34iuhewih';
$password = mysql_real_escape_string(md5($_POST['password'] . $salt));
$username = mysql_real_escape_string($_POST['username']);
// password data in db has formerly been salted and md5'd
$q = "SELECT userId FROM users WHERE username = '$username' AND password = '$password'";
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

When you salt, as explained by ole, take the salt value from two sources - the database and the PHP source. The easiest thing to use as a db-salt is the username, or you can randomly generate a salt value and keep it in a field in the login table.
User avatar
dibyendrah
Forum Contributor
Posts: 491
Joined: Wed Oct 19, 2005 5:14 am
Location: Nepal
Contact:

Post by dibyendrah »

You may try PASSWORD function of mysql itself.

Code: Select all

$pass = $_POST["password"];
PASSWORD($pass);

Code: Select all

SELECT PASSWORD('secret') as pass;

Code: Select all

pass
*14E65567ABDB5135D0CFD9A70B3032C179A49EE7
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

dibyendrah wrote:You may try PASSWORD function of mysql itself.
Note: The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your applications.
One reason behind it is that implementation of PASSWORD may vary between servers, while MD5 or SHA1 are constant.
Post Reply