karimali831 Posted April 24, 2010 Share Posted April 24, 2010 Hey, When a user sends an invite to join their team, the URL format is like: ?site=clans&action=clanjoin&clanID=459&password=547ed66d627d350f8b3847d24b661f49 I use md5 for password encryption but you can't use an encrypted password to POST data? It would just say password is incorrect unless I manually edit the row in phpmyadmin with a random password and use that one. Is there a way to get the actual encrypted password instead of decrypted one when I use sql fetch? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 24, 2010 Share Posted April 24, 2010 md5() != encryption. md5() is a hashing algorithm. You would need to store the hash of the password in the db, then check the hash of the submitted password against it when authenticating the submitted password. Quote Link to comment Share on other sites More sharing options...
karimali831 Posted April 24, 2010 Author Share Posted April 24, 2010 Thanks for your reply, is there a tutorial for this? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 24, 2010 Share Posted April 24, 2010 I'm starting to wonder, just what is it you're trying to do? Are you trying to protect the password string while it's in transit from the user's browser to your site? If that's the case, you need to be looking at using SSL with a https:// connection. If you just want the password to be stored as a hash value in the database, it would be done such as: INSERT INTO users (username, password) VALUES ($username, md5($password) making sure the password field in the db is the right size/type to hold the hash. Quote Link to comment Share on other sites More sharing options...
karimali831 Posted April 24, 2010 Author Share Posted April 24, 2010 Like for example, when a user retrieves for a lost password and they email it to themselves, they will get the password and not the decrypted one in the database. Understand? I'm not familar with this password hashing.. Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted April 24, 2010 Share Posted April 24, 2010 can't do that using md5. it's a one-way hashing system meaning once it's hashed, you cannot "un-hash" it, so to speak. sending a user their password via email is not safe. instead, if the user can't remember their password, create a "password reset" script so they can create a new one. NOTE: i must clarify that while it is technically possible to use brute-force attacks and such against a value hashed using md5, it is not something the average is capable of doing, and you surely aren't going to find a "script" to do so. so, just go with what i suggested in creating a password reset. Quote Link to comment Share on other sites More sharing options...
karimali831 Posted April 24, 2010 Author Share Posted April 24, 2010 Well in my case is, for leagues and tournaments, a team leader sends an invite to someone to join their team with 1 link. Many leagues has this.. no one is really going to care if it's safe or not as it's just a team that takes part in leagues and not credit card information. As you said there is no way of getting the password once it's encrypted using md5, is there an alternative or must I not use encrryption altogether? There is a league that is very active, around 15k users online that uses decrypted passwords and a join link like /join_team/4971608/?joinpw=mypassword Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 24, 2010 Share Posted April 24, 2010 Maybe this link will help Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted April 24, 2010 Share Posted April 24, 2010 Well in my case is, for leagues and tournaments, a team leader sends an invite to someone to join their team with 1 link. Many leagues has this.. no one is really going to care if it's safe or not as it's just a team that takes part in leagues and not credit card information. As you said there is no way of getting the password once it's encrypted using md5, is there an alternative or must I not use encrryption altogether? There is a league that is very active, around 15k users online that uses decrypted passwords and a join link like /join_team/4971608/?joinpw=mypassword i'm not going to try and sell you on security. in my head, security is always a must as it does not really require much more effort than a non-secured site. but, if you don't care about secure passwords, then don't use them. Quote Link to comment Share on other sites More sharing options...
GetPutDelete Posted April 24, 2010 Share Posted April 24, 2010 If you're going to let the user choose their own password then you need to encrypt it (need as in ethically), if you are automatically generating them then just don't worry about encryption. An alternative to your problem could be to use a generated session hash as a GET variable instead of the password, then in the db the session hash will be associated to the users account and you can go from there. Quote Link to comment Share on other sites More sharing options...
havenpets Posted April 25, 2010 Share Posted April 25, 2010 Or when a user requests their password, make them verify username & e-mail address and reset their password, mail them the new one (before md5() is in place) then md5() the password and insert it into the database. =) Easy as 1... 2... 3... That's what I do! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.