Jump to content

[SOLVED] Encryption

brmcdani

By brmcdani
in PHP Coding Help

 Share

Recommended Posts

The PHP Guy Newbie

The PHP Guy

Posted
Posted

First of all, md5 is very very weak. I Use "tiger192,4" which is fast and secure. If that algorithm isn't supported on your server, use sha1.

 

When the user registers, hash the password and store it in a database. When he logs in, compare the stored hash with the hash of the entered password.

A neat little function which adds some salt and hashes with the specified algorithm:

<?php
function getHash($data, $algo = 'tiger192,4') 
{
    if(!in_array($algo, hash_algos()))
    {
        return FALSE;
    }
    $len = strlen($data);
    $data2 = $data . ($len % 2 == 0 ? '' : $algo[0]);
    $salt = $data . ($len % 2 == 0 ? '' : $data[0]);
    $pos = (int) ($data[0] % ord($data[$len-1])) * 27;
    $salt = substr($salt, $pos) . substr($salt, 0, $pos);
    $salt = hash($algo, $salt);
    $len = strlen($salt) - 1;
    $data2 = hash($algo, $data2);
    $pos = (int) ($data2[$len - 1] % ord($data2[0])) * 12;
    $data2 = substr($data2, 0, $len / 2) . $salt . substr($data2, $len / 2, $len);
    $data2 = hash($algo, $data2);
    return $data2;
}
?>

 

Use it like: echo getHash('password');

If it echoes nothing (returns FALSE), use getHash('password', 'sha1');

And this is how you validate the password:

<?php
$result = mysql_query('SELECT * FROM table_name 
WHERE user="' . mysql_real_escape_string($_POST['user'], $link_id) . '" AND 
password = "' . getHash($_POST['pass']) . '"', $link_id);
if(mysql_num_rows($result) == 1)
{
    //Password is correct
}
else
{
    //Password is wrong
}
?>

 

Also make sure that the user field in your table is PRIMARY or UNIQUE

Link to comment
Share on other sites
Handy PHP Newbie

Handy PHP

Posted
Posted

The short answer is this:

 

Probably when you added the password to the database the first time you took the password and applied the MD5 hash to it the inserted it into the database kind of like this:

$sql="INSERT INTO table_name (id, username, password) VALUES (1, ". $_POST['username'] . "," . MD5($_POST['password']) . ")";

 

So to check it; you use something like this:

$sql="SELECT * FROM table_name WHERE username = . " $_POST[''] "." AND password = " . MD5($_POST['password']);

 

You have to hash the password before you check it against what the server has stored.

 

It isn't a bad idea to use a stronger hash as mention above or add a string to the password prior to hashing to make the system more secure.

 

Hope this helps,

Handy PHP

Link to comment
Share on other sites
brmcdani Member

brmcdani

Posted
  • Author
Posted

Handy PHP:

 

What would be the proper syntax if I defined a variable as $myusername and $mypassword like this first before using the SQL statement:

 

$myusername=$_POST['myusername']; 
$mypassword=.sha1($_POST['mypassword']); 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and pass='$mypassword'";
$result=mysql_query($sql);

 

I've played with it but can't seem to get the syntax quite right.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.