encryted password in database

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Dilbert137
Forum Commoner
Posts: 57
Joined: Sat Jun 02, 2007 5:02 am
Location: Mauritius

encryted password in database

Post by Dilbert137 »

Dear All,

I'm developing admin side of my website. Can someone guide me how to make use of encrypted password saving it in the database.

Best Regards
Dilbert137
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

When you create new user do

Code: Select all

INSERT INTO users SET username='$username', password = md5($passord)
This will encode the password, and when you test the login input do

Code: Select all

SELECT COUNT(*) FROM users WHERE username='$username' AND password = md5($password)
Note that if you provide Forgot Password feature you cannot send the password to the user email because this md5 encoding is irreversible, so you need to build script for resetting the password.
Dilbert137
Forum Commoner
Posts: 57
Joined: Sat Jun 02, 2007 5:02 am
Location: Mauritius

Post by Dilbert137 »

Hi miro_igov,

Thanks a lot for your counsel. It's working now. I have used AES_ENCRYPT instead but could have used MD5 but lack of time to write a decrypt coding I used AES. For anyone who wants to use it, here is the code to be applied.

AES_ENCRYPT(string, key);
AES_DECRYPT(crypted text,key);

Best Regards
Dilbert137
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

Is this secure enough? for those who know the key and encryption algorithm will be easy to get the password. I think you keep the key in your script so its easy to be obtained.
Dilbert137
Forum Commoner
Posts: 57
Joined: Sat Jun 02, 2007 5:02 am
Location: Mauritius

Post by Dilbert137 »

Please recommend me then?

Best Regards
Dilbert137
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

I recommended above. The md5 approach is OK. The only trouble is with forgotten passwords but that makes them more secure.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There are other unidirectional encryption (hashing) algorithms available. MD5 has been weakened significantly in recent years, SHA1 is stronger, but again has been weakened in recent years. If you're running PHP 5.1+ you may have access to the hash() extension, which supports many. If not, there's also my SHA256 library. see signature for link
Dilbert137
Forum Commoner
Posts: 57
Joined: Sat Jun 02, 2007 5:02 am
Location: Mauritius

Post by Dilbert137 »

Thanks for all.

Dilbert137
Post Reply