Encrypt paswords in sql?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Breana
    New Member
    • Aug 2007
    • 117

    Encrypt paswords in sql?

    Ok, so i got all my bugs killed so now i can work on obivous issues like sql passwords.
    When a member joins it don't encrypt um so i was wondering if it's a big deal or should i try to do that?

    Let me know and where to start thanx.
  • aalmakto
    New Member
    • Aug 2007
    • 19

    #2
    Originally posted by Breana
    Ok, so i got all my bugs killed so now i can work on obivous issues like sql passwords.
    When a member joins it don't encrypt um so i was wondering if it's a big deal or should i try to do that?

    Let me know and where to start thanx.
    Hey Breana,
    It is a good idea to encrypt passwords otherwise anyone who has access to your Database (or whatever storage mechanism) can obtain passwords. PHP has a function called md5() which does one way encryption (you cannot decrypt it).


    Have a look at this thread: <Link removed>

    It should give you a good idea.

    Cya
    Al
    Last edited by Atli; Aug 29 '07, 03:18 AM. Reason: Removed link.

    Comment

    • Atli
      Recognized Expert Expert
      • Nov 2006
      • 5062

      #3
      Posting links to other forums is not allowed. Please read the Posting Guidelines before posting, especially the part about Things that are generally unacceptable.

      Moderator

      Comment

      • Atli
        Recognized Expert Expert
        • Nov 2006
        • 5062

        #4
        Originally posted by Breana
        Ok, so i got all my bugs killed so now i can work on obivous issues like sql passwords.
        When a member joins it don't encrypt um so i was wondering if it's a big deal or should i try to do that?

        Let me know and where to start thanx.
        Hi.

        A very good solution to this would be to create a hash based on the password provided by your user.

        This is very easy to do using PHP. You can use the md5() function, which generates a 32 character long (128bit) hash or the sha1() function, which generates a 40 character long (160bit) hash.

        Hashes are ideal for passwords because they can not be reverted back to their original form, which means that even if somebody got a hold of you password database, it would be pretty much useless to them.

        Comment

        • pbmods
          Recognized Expert Expert
          • Apr 2007
          • 5821

          #5
          To add to Atli's post:

          The other benefit to hashing passwords is that they require a constant storage space. For example, sha1() always outputs a 40-character string, regardless of the length of the string you give it.

          As a result, you don't have to require that Users' passwords be up to a certain length; Users are free to use whatever they want as their passwords.

          Whether the User's password is 'password', or '.' or the entire text of War and Peace (thank goodness for AutoFill!), it all hashes down to a 40-character string each time.

          To make one minor nitpick to Atli's post:
          As long as you are salting your passwords, it does not represent a major security threat for an attacker to be able to access the database (or at least, not any more major than for a complete and possibly malevolent stranger to have access to your database, that is), because he won't know what the salt is.

          But if you are not using a salt, a cracker can just check the length of the password field and generate and replace his own password for the admin User.

          (A salt is a pseudo-random string that you prepend and/or append to every encrypted string to make it harder to crack. For example:
          [code=php]
          define('CRYPTO_ SALT', 'sAlTyDoG');

          // Check to see if the login info is correct.
          $_sql = "
          SELECT
          `ID_User`
          WHERE
          (
          `Name_Short` = '{$username}'
          AND
          `Util_Password` = '" . sha1(CRYPTO_SAL T . $password) . "'
          )
          LIMIT 1";
          [/code]

          Note that the salt gets prepended to the password in the example above, so even if a cracker changed the hashed password, he still would not be able to log in because the password that he tried to log in with would get prepended with the salt, which would not match what he inserted into the database!)

          Comment

          • Atli
            Recognized Expert Expert
            • Nov 2006
            • 5062

            #6
            Additionally, if you use the salt method as pbmod explained, your database will also be protected from so call 'dictionary' hacking attempts.
            That is; a hacker could compile a list of possible passwords, hash them and one by one match them against you database.

            That will obviously not work if all your passwords are prefixed by a unknown string before they are hashed,

            Comment

            • Breana
              New Member
              • Aug 2007
              • 117

              #7
              Wow, where do i start, thats a lot of replys lol.
              Will i be able to do this with my code as of now or do i need to alter it?
              Because i don't get it, i looked at the links and its a bunch of geek speek :)

              Why is it called apple?
              [PHP]<?php
              $str = 'apple';

              if (md5($str) === '1f3870be274f6c 49b3e31a0c67289 57f') {
              echo "Would you like a green or red apple?";
              exit;
              }
              ?>[/PHP]

              And where do i edit the code at, register.php or the save user.php?
              I am soo lost...

              Comment

              • pbmods
                Recognized Expert Expert
                • Apr 2007
                • 5821

                #8
                Heya, Breana.

                Think about it this way:

                If you were not encrypting the passwords, you'd interact with the database at two points:
                1. When creating a User account, you save the password to the database.
                2. When logging in, you check to see if the password the User provided matches what's in the database.


                When you use encrypted passwords, you are now making two slight changes:
                1. When creating a User account, you now run the password through sha1:
                  [code=php]
                  $_sql = "
                  INSERT
                  INTO
                  `users`
                  (
                  `username`,
                  `password`
                  .
                  .
                  .
                  )
                  VALUES
                  (
                  '{$username}',
                  '" . sha1($password) . "'
                  )";
                  [/code]
                  Where $username and $password are the Username and password that you want to assign to the new account, respectively.
                2. When logging in, you now have to check to see if the password matches when you encrypt it:
                  [code=php]
                  $_sql = "
                  SELECT
                  `user_id`
                  FROM
                  `users`
                  WHERE
                  (
                  `username` = '{$username}'
                  AND
                  `password` = '" . sha1($password) . "'
                  )
                  LIMIT 1";
                  [/code]
                  Where $username and $password are the Username and Password that the User entered into the login form, respectively.

                Comment

                • Breana
                  New Member
                  • Aug 2007
                  • 117

                  #9
                  Ok, so like this.

                  [PHP]$sql = "insert into users (userid, login, password, email, gender, aboutme, points, genderimage) values ($userid, '$loginname', '" . sha1($password) . "', '$email' , '$gender', '$aboutme', '$points', '$genderimage') ";
                  $result = mysql_query($sq l ,$db);[/PHP]
                  I just tried it does iencrypt it but now it wont auto login?
                  How do i call the pas now that it is encrypted..

                  Comment

                  • pbmods
                    Recognized Expert Expert
                    • Apr 2007
                    • 5821

                    #10
                    Heya, Breana.

                    So far so good.

                    Next step, just verify the structure of your users table. The password field should be a char(40):
                    [code=mysql]
                    ALTER TABLE
                    `users`
                    MODIFY
                    `password`
                    CHAR(40)
                    NOT NULL;
                    [/code]

                    To tackle the login problem, let's have a look at the code where you check the Username and password.

                    Comment

                    • Breana
                      New Member
                      • Aug 2007
                      • 117

                      #11
                      Yep, i just sql it and its now 40 like you said.

                      And my login code is here:
                      [PHP]<?php

                      $sql = "select * from users where login = '$login' and password = '$password'";
                      $result = mysql_query($sq l ,$db);

                      if ($myrow = mysql_fetch_arr ay($result)) {

                      do {

                      $uid = $myrow["userid"];
                      $uname = $myrow["login"];

                      } while ($myrow = mysql_fetch_arr ay($result));

                      $loggedin = true;
                      $upwd = $password;
                      $msg = "<table width=\"500\" border=\"0\" align=\"center\ " cellpadding=\"0 \" cellspacing=\"0 \">
                      <tr>
                      <td><img src=\"images/top_c.gif\" width=\"500\" height=\"24\"></td>
                      </tr>
                      <tr>
                      <td align=\"center\ " background=\"im ages/b_m.gif\">Welco me <font color=\"#FF0000 \">$uname</font>, you are now logged in.</td>
                      </tr>
                      <tr>
                      <td><img src=\"images/bottom_c.gif\" width=\"500\" height=\"24\"></td>
                      </tr>
                      </table><br />
                      <br />
                      <a href=\"index.ph p\">CONTINUE >></a><br /><br /><p align=\"center\ "><img src=\"images/Welcome_Back.gi f\" width=\"300\" height=\"282\" /></p>";
                      $sql = "UPDATE `users` SET `last_active` = NOW() WHERE `user_id` = '{$user_id}' LIMIT 1";

                      } else {
                      $loggedin = false;
                      $upwd = "";
                      $uid = "";
                      $uname = "";
                      $msg = "<img src=\"images/invalid.gif\" width=\"402\" height=\"107\" /><br /><b><font color=\"#FF0000 \">Sorry,</font></b> that login and password is not valid.<br /><br />If you have forgotten your password <a href=forgot.php >Reset Password</a>. <br />If you are a new user you will need to <a href=newuser.ph p>Create A New Account!</a>";


                      }

                      session_registe r("loggedin") ;
                      session_registe r("upwd");
                      session_registe r("uid");
                      session_registe r("uname");

                      ?>[/PHP]

                      Comment

                      • pbmods
                        Recognized Expert Expert
                        • Apr 2007
                        • 5821

                        #12
                        Heya, Breana.

                        All you have to do here is change the first line:
                        [code=php]
                        $sql = "select * from users where login = '$login' and password = '" . sha1($password) . "'";
                        [/code]

                        Comment

                        • Breana
                          New Member
                          • Aug 2007
                          • 117

                          #13
                          I just tried it nope, it says logged in buy no user panel. just the login links...

                          Comment

                          • pbmods
                            Recognized Expert Expert
                            • Apr 2007
                            • 5821

                            #14
                            Heya, Breana.

                            Are you logging in as a new User (with an encrypted password) or an old User (with an unencrypted password)?

                            Try running this query:
                            [code=mysql]
                            UPDATE
                            `users`
                            SET
                            `password` = sha1(`password` )
                            WHERE
                            LENGTH(`passwor d`) != 40;
                            [/code]

                            Comment

                            • Breana
                              New Member
                              • Aug 2007
                              • 117

                              #15
                              I ran that all passwords are now encrypted but i cant login it says your now logged in but the menu dont pop up....

                              So maybe my commen php needs to be updated to.
                              Take a look please...

                              [PHP]function logincheck($uid , $upwd) {

                              global $db;

                              if (($uid == "") || ($upwd == "")) {

                              $accountok = false;

                              } else {

                              $sql = "select * from users where userid = $uid and password = '$upwd'";

                              $result = mysql_query($sq l ,$db);

                              $numrows = mysql_num_rows( $result);

                              if ($numrows > 0) {

                              $accountok = true;

                              } else {

                              $accountok = false;

                              }

                              }

                              return $accountok;

                              }[/PHP]

                              Comment

                              Working...