Hello ppl
I have a form in php that i'm using to keep some users data, like Name, birthdate, username and password.
How do i store my password in a mysql table, but in a way that someone who make a select directely in command line could not see the password.? Is there anyway to encrypt the password when i'm making the insert in my .php form?
With the best regards
Hugo Gomes
Store passwords in DB
Moderator: General Moderators
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Yes its called a hash. In PHP there is a function md5() you can use it to irreservibly encode any amount of text. What you should do is use it on a password when it is first set (at registration or something) then store it in the database. Then at login time you can use it on the given password then and compare it with the one in the database but you can never find out what the actual password was.
Actually that's not entirely true you can find out what it was by systemically guessing and hashing lots of stuff so it is important that passwords are not easily guessable.
It important security you can use a salt, which is to add some random stuff to the password at both registration and login but keep that data completely hidden inside your application code.
Actually that's not entirely true you can find out what it was by systemically guessing and hashing lots of stuff so it is important that passwords are not easily guessable.
It important security you can use a salt, which is to add some random stuff to the password at both registration and login but keep that data completely hidden inside your application code.
Code: Select all
// Login
$salt = 'e8y34iuhewih';
$password = mysql_real_escape_string(md5($_POST['password'] . $salt));
$username = mysql_real_escape_string($_POST['username']);
// password data in db has formerly been salted and md5'd
$q = "SELECT userId FROM users WHERE username = '$username' AND password = '$password'";- dibyendrah
- Forum Contributor
- Posts: 491
- Joined: Wed Oct 19, 2005 5:14 am
- Location: Nepal
- Contact:
You may try PASSWORD function of mysql itself.
Code: Select all
$pass = $_POST["password"];
PASSWORD($pass);Code: Select all
SELECT PASSWORD('secret') as pass;Code: Select all
pass
*14E65567ABDB5135D0CFD9A70B3032C179A49EE7dibyendrah wrote:You may try PASSWORD function of mysql itself.
One reason behind it is that implementation of PASSWORD may vary between servers, while MD5 or SHA1 are constant.Note: The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your applications.