[SOLVED] Encryption

[brmcdani]

I currently just made a registration and login system.  When the user registers it encrypts the password using .md5.  The problem is that when I try to login you have to type in the encrypted password.  How would I approach this problem?

[The PHP Guy]

First of all, md5 is very very weak. I Use "tiger192,4" which is fast and secure. If that algorithm isn't supported on your server, use sha1.

 

When the user registers, hash the password and store it in a database. When he logs in, compare the stored hash with the hash of the entered password.

A neat little function which adds some salt and hashes with the specified algorithm:

<?php
function getHash($data, $algo = 'tiger192,4') 
{
    if(!in_array($algo, hash_algos()))
    {
        return FALSE;
    }
    $len = strlen($data);
    $data2 = $data . ($len % 2 == 0 ? '' : $algo[0]);
    $salt = $data . ($len % 2 == 0 ? '' : $data[0]);
    $pos = (int) ($data[0] % ord($data[$len-1])) * 27;
    $salt = substr($salt, $pos) . substr($salt, 0, $pos);
    $salt = hash($algo, $salt);
    $len = strlen($salt) - 1;
    $data2 = hash($algo, $data2);
    $pos = (int) ($data2[$len - 1] % ord($data2[0])) * 12;
    $data2 = substr($data2, 0, $len / 2) . $salt . substr($data2, $len / 2, $len);
    $data2 = hash($algo, $data2);
    return $data2;
}
?>

 

Use it like: echo getHash('password');

If it echoes nothing (returns FALSE), use getHash('password', 'sha1');

And this is how you validate the password:

<?php
$result = mysql_query('SELECT * FROM table_name 
WHERE user="' . mysql_real_escape_string($_POST['user'], $link_id) . '" AND 
password = "' . getHash($_POST['pass']) . '"', $link_id);
if(mysql_num_rows($result) == 1)
{
    //Password is correct
}
else
{
    //Password is wrong
}
?>

 

Also make sure that the user field in your table is PRIMARY or UNIQUE

[corbin]

MD5 is very, very weak?  lol.

 

 

http://www.phpfreaks.com/forums/index.php/topic,254277.0.html

[The PHP Guy]

MD5 is very, very weak?

Yes, it is.

Have a look at:

http://php.net/manual/en/function.md5.php#90494

http://in3.php.net/manual/en/function.hash.php#83481

http://mail.jabber.org/pipermail/standards/2007-September/016771.html

http://www.speedguide.net/read_news.php?id=2752

[Handy PHP]

The short answer is this:

 

Probably when you added the password to the database the first time you took the password and applied the MD5 hash to it the inserted it into the database kind of like this:

$sql="INSERT INTO table_name (id, username, password) VALUES (1, ". $_POST['username'] . "," . MD5($_POST['password']) . ")";

 

So to check it; you use something like this:

$sql="SELECT * FROM table_name WHERE username = . " $_POST[''] "." AND password = " . MD5($_POST['password']);

 

You have to hash the password before you check it against what the server has stored.

 

It isn't a bad idea to use a stronger hash as mention above or add a string to the password prior to hashing to make the system more secure.

 

Hope this helps,

Handy PHP

[brmcdani]

Handy PHP:

 

What would be the proper syntax if I defined a variable as $myusername and $mypassword like this first before using the SQL statement:

 

$myusername=$_POST['myusername']; 
$mypassword=.sha1($_POST['mypassword']); 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and pass='$mypassword'";
$result=mysql_query($sql);

 

I've played with it but can't seem to get the syntax quite right.

[brmcdani]

Nevermind I just got it.  I just had to remove the .

 

Thanks for everyones help.