By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,890 Members | 1,050 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,890 IT Pros & Developers. It's quick & easy.


P: 63
can anybody tell me how i can use mysql's aes_enrypt & decrypt to enrcypt and store password into mysql database then retrieve it in normal form. For example, i want to build php's forgot password function so that i can send plain-text password to user's email

Aug 21 '08 #1
Share this Question
Share on Google+
3 Replies

Expert 100+
P: 938

I've never used this myself. Have you read this ? i got this on a simple Google search.

I should say that for passwords I generally prefer hashing them. this means the original can't be extracted - making it a bit more secure. I always think that if I can decrypt the password so can someone else!

Have a look at php hash(). So if you do the following:
$lcHashed = hash('sha256', $lcStringToHash) ;

This will always give a string of the same liength regardless of the input. If this is for passwords and user forgets the password then you can't re-supply it but you can simply generate a new one and email it to them at their registered email address.

Aug 21 '08 #2

P: 63
using hash() to encrypt password and generating a new one if necessary is quite popular but that's not the case i'm dealing with :D

anyway, i've found the way to work with aes_encrypt/aes_decrypt, which's quite simple:

encrypt: password is stored in encrypted form, with 'key' defined by ourselves
mysql_query("INSERT INTO table (username, password) VALUES ('$un', aes_encrypt('$pw','key'))");

decrypt: password is retrived in normal plain-text form:
mysql_query("SELECT aes_decrypt(password, 'key') FROM table WHERE email = '$email'");
then we can help the user find his original password :D
Aug 21 '08 #3

Expert 5K+
P: 5,821
Heya, tuananh87vn.

You encrypt the User's password using industrial-strength encryption, maybe have him login over an SSL connection...

... and then you transmit his password in cleartext over one of the most insecure media on the internet.

I'll save you the $300/hr security analysis session. There's a chink in your armor.

Rather than send the User his password, simply send him a link that he can click on to reset his password, instead.
Aug 22 '08 #4

Post your reply

Sign in to post your reply or Sign up for a free account.