Encrypt paswords in sql?

Ok, so i got all my bugs killed so now i can work on obivous issues like sql passwords.
When a member joins it don't encrypt um so i was wondering if it's a big deal or should i try to do that?

Let me know and where to start thanx.

Hey Breana,
It is a good idea to encrypt passwords otherwise anyone who has access to your Database (or whatever storage mechanism) can obtain passwords. PHP has a function called md5() which does one way encryption (you cannot decrypt it).


Have a look at this thread: <Link removed>

It should give you a good idea.

Cya
Al

Posting links to other forums is not allowed. Please read the Posting Guidelines before posting, especially the part about Things that are generally unacceptable.

Moderator

Ok, so i got all my bugs killed so now i can work on obivous issues like sql passwords.
When a member joins it don't encrypt um so i was wondering if it's a big deal or should i try to do that?

Let me know and where to start thanx.

Hi.

A very good solution to this would be to create a hash based on the password provided by your user.

This is very easy to do using PHP. You can use the md5() function, which generates a 32 character long (128bit) hash or the sha1() function, which generates a 40 character long (160bit) hash.

Hashes are ideal for passwords because they can not be reverted back to their original form, which means that even if somebody got a hold of you password database, it would be pretty much useless to them.

To add to Atli's post:

The other benefit to hashing passwords is that they require a constant storage space. For example, sha1() always outputs a 40-character string, regardless of the length of the string you give it.

As a result, you don't have to require that Users' passwords be up to a certain length; Users are free to use whatever they want as their passwords.

Whether the User's password is 'password', or '.' or the entire text of War and Peace (thank goodness for AutoFill!), it all hashes down to a 40-character string each time.

To make one minor nitpick to Atli's post:
As long as you are salting your passwords, it does not represent a major security threat for an attacker to be able to access the database (or at least, not any more major than for a complete and possibly malevolent stranger to have access to your database, that is), because he won't know what the salt is.

But if you are not using a salt, a cracker can just check the length of the password field and generate and replace his own password for the admin User.

(A salt is a pseudo-random string that you prepend and/or append to every encrypted string to make it harder to crack. For example:
Note that the salt gets prepended to the password in the example above, so even if a cracker changed the hashed password, he still would not be able to log in because the password that he tried to log in with would get prepended with the salt, which would not match what he inserted into the database!)

Additionally, if you use the salt method as pbmod explained, your database will also be protected from so call 'dictionary' hacking attempts.
That is; a hacker could compile a list of possible passwords, hash them and one by one match them against you database.

That will obviously not work if all your passwords are prefixed by a unknown string before they are hashed,

Wow, where do i start, thats a lot of replys lol.
Will i be able to do this with my code as of now or do i need to alter it?
Because i don't get it, i looked at the links and its a bunch of geek speek :)

Why is it called apple?
[PHP]<?php
$str = 'apple';

if (md5($str) === '1f3870be274f6c49b3e31a0c6728957f') {
echo "Would you like a green or red apple?";
exit;
}
?>[/PHP]

And where do i edit the code at, register.php or the save user.php?
I am soo lost...

Heya, Breana.

Think about it this way:

If you were not encrypting the passwords, you'd interact with the database at two points:

1. When creating a User account, you save the password to the database.
2. When logging in, you check to see if the password the User provided matches what's in the database.

When you use encrypted passwords, you are now making two slight changes:

1. When creating a User account, you now run the password through sha1:
   
   Expand|Select|Wrap|Line Numbers

   1. $_sql = "
   2. INSERT
   3.     INTO
   4.         `users`
   5.         (
   6.             `username`,
   7.             `password`
   8.             .
   9.             .
   10.             .
   11.         )
   12.     VALUES
   13.         (
   14.             '{$username}',
   15.             '" . sha1($password) . "'
   16.         )";
   17.  
   Where $username and $password are the Username and password that you want to assign to the new account, respectively.
2. When logging in, you now have to check to see if the password matches when you encrypt it:
   
   Expand|Select|Wrap|Line Numbers

   1. $_sql = "
   2. SELECT
   3.         `user_id`
   4.     FROM
   5.         `users`
   6.     WHERE
   7.     (
   8.             `username` = '{$username}'
   9.         AND
   10.             `password` = '" . sha1($password) . "'
   11.     )
   12.     LIMIT 1";
   13.  
   Where $username and $password are the Username and Password that the User entered into the login form, respectively.

Ok, so like this.

[PHP]$sql = "insert into users (userid, login, password, email, gender, aboutme, points, genderimage) values ($userid, '$loginname', '" . sha1($password) . "', '$email' , '$gender', '$aboutme', '$points', '$genderimage')";
$result = mysql_query($sql ,$db);[/PHP]
I just tried it does iencrypt it but now it wont auto login?
How do i call the pas now that it is encrypted..

Heya, Breana.

So far so good.

Next step, just verify the structure of your users table. The password field should be a char(40):
To tackle the login problem, let's have a look at the code where you check the Username and password.

Yep, i just sql it and its now 40 like you said.

And my login code is here:
[PHP]<?php

$sql = "select * from users where login = '$login' and password = '$password'";
$result = mysql_query($sql ,$db);

if ($myrow = mysql_fetch_array($result)) {

do {

$uid = $myrow["userid"];
$uname = $myrow["login"];

} while ($myrow = mysql_fetch_array($result));

$loggedin = true;
$upwd = $password;
$msg = "<table width=\"500\" border=\"0\" align=\"center\" cellpadding=\"0\" cellspacing=\"0\">
<tr>
<td><img src=\"images/top_c.gif\" width=\"500\" height=\"24\"></td>
</tr>
<tr>
<td align=\"center\" background=\"images/b_m.gif\">Welcome <font color=\"#FF0000\">$uname</font>, you are now logged in.</td>
</tr>
<tr>
<td><img src=\"images/bottom_c.gif\" width=\"500\" height=\"24\"></td>
</tr>
</table><br />
<br />
<a href=\"index.php\">CONTINUE >></a><br /><br /><p align=\"center\"><img src=\"images/Welcome_Back.gif\" width=\"300\" height=\"282\" /></p>";
$sql = "UPDATE `users` SET `last_active` = NOW() WHERE `user_id` = '{$user_id}' LIMIT 1";

} else {
$loggedin = false;
$upwd = "";
$uid = "";
$uname = "";
$msg = "<img src=\"images/invalid.gif\" width=\"402\" height=\"107\" /><br /><b><font color=\"#FF0000\">Sorry,</font></b> that login and password is not valid.<br /><br />If you have forgotten your password <a href=forgot.php>Reset Password</a>. <br />If you are a new user you will need to <a href=newuser.php>Create A New Account!</a>";


}

session_register("loggedin");
session_register("upwd");
session_register("uid");
session_register("uname");

?>[/PHP]

Heya, Breana.

All you have to do here is change the first line:

I just tried it nope, it says logged in buy no user panel. just the login links...

Heya, Breana.

Are you logging in as a new User (with an encrypted password) or an old User (with an unencrypted password)?

Try running this query:

I ran that all passwords are now encrypted but i cant login it says your now logged in but the menu dont pop up....

So maybe my commen php needs to be updated to.
Take a look please...

[PHP]function logincheck($uid, $upwd) {

global $db;

if (($uid == "") || ($upwd == "")) {

$accountok = false;

} else {

$sql = "select * from users where userid = $uid and password = '$upwd'";

$result = mysql_query($sql ,$db);

$numrows = mysql_num_rows($result);

if ($numrows > 0) {

$accountok = true;

} else {

$accountok = false;

}

}

return $accountok;

}[/PHP]

Heya, Breana.

Yup. It sure does. Good call.

Do i replace all the $upwd == "" with the '" . sha1($password) . "' or alter it to:

'$upwd == " . sha1($upwd) . "'?

Heya, Breana.

Do i replace all the $upwd == "" with the '" . sha1($password) . "' or alter it?

This time you want to sha1($upwd) instead of sha1($password).

Ok like this:
[PHP]function logincheck($uid, $upwd) {

global $db;

if (($uid == "") || ('".sha1($upwd)"' == "")) {

$accountok = false;

} else {

$sql = "select * from users where userid = $uid and password = '".sha1($upwd)."'";

$result = mysql_query($sql ,$db);

$numrows = mysql_num_rows($result);

if ($numrows > 0) {

$accountok = true;

} else {

$accountok = false;

}

}

return $accountok;

}[/PHP]

Heya, Breana.

Looks good to me. Does it work?

Yes, thanks soo much, i thought i needed to edit that php to cause it hase my login check lol.

Now if i can get the whos online not to post the 224.249295 stuff lol

I see one bug i know it's my fault, in my account i have a text feild echo the users pass so they can update it. it shows the encrypted pass?

I think the only way to get past that is to have the pass feild changed to.

Change password FEILD.
leave empty to keep exsisting password..

Heya, Breana.

That's odd. Where is that number showing up?

In terms of allowing the User to update his password, consider making the password field blank and then only changing the password if the User actually enters anything into it (presumably, since he just logged on, he knows what his password is!).

Lol yeah i meant that, i just changed it.
As for your question it was showing up in the (MyAccount) under curent pass >save so i removed the get info sql and made it so if one is entered it will change it.
with the '".sha1($password)"' in the updateuser.php.

So now i got this working thanks to you.
Can you help me in the other post fix the online showing "209.33.95.33" now a result :)

Heya, Breana.

We'll continue working on that issue in your other thread:
http://www.thescripts.com/forum/thread700415.html

Glad to hear you got it working! Good luck with your project, and if you ever need anything, post back anytime :)