uswebproFreak Posted December 16, 2005 Share Posted December 16, 2005 Hey I found out how to hash text when inserting: INSERT INTO tablename (fieldname, other_fieldname) VALUES (password('secret_stuff'), 'other_data') 'secret_stuff' is changed to: 2d7510136b7a8a7e how do I un-hash it, so I can use the info? Quote Link to comment Share on other sites More sharing options...
neomicron Posted December 17, 2005 Share Posted December 17, 2005 [!--quoteo(post=327816:date=Dec 15 2005, 08:27 PM:name=uswebproFreak)--][div class=\'quotetop\']QUOTE(uswebproFreak @ Dec 15 2005, 08:27 PM) 327816[/snapback][/div][div class=\'quotemain\'][!--quotec--] Hey I found out how to hash text when inserting: INSERT INTO tablename (fieldname, other_fieldname) VALUES (password('secret_stuff'), 'other_data') 'secret_stuff' is changed to: 2d7510136b7a8a7e how do I un-hash it, so I can use the info? Often times a hash is stored for passwords and other information to be verified againt the user input. In your case, rather than un-hasing the password field, try something like this: $pw = $_POST['password']; //get the password the user entered into our site $user = $_POST['username']; $sql = "SELECT * FROM `accounts` WHERE `username` = '".$user."' AND `password` = password(".$pw.");"; Execute this query and it will return information if the usernames match. Now, this is a pretty bad example (sql injection among other things) but it is just to show a point. Rather than trying to un-hash your database values to compare to user input, just hash the user input and see if they match. i.e. $userinput = "test"; md5("test") = md5($userinput); will return as true Quote Link to comment Share on other sites More sharing options...
uswebproFreak Posted December 17, 2005 Author Share Posted December 17, 2005 I told me hosting company I'm storing CC (credit card) info in my database. they said I should encrpt it first. You didn't really answer my question. Can I use the password function to hash a CC # then later unhash it to use it in a report Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted December 20, 2005 Share Posted December 20, 2005 If you are storing CC information I would recommend you to find a host that provides SSL (Secure Socket Layer), unless your host currently does as this encrypts the data sent and recivied form the server. Otherwise if a hacker hacks into your database and find CC info then you customers aren't going to very happy! Also when you use md5 or password function for that matter you cant decrypt these, although you can with bruet force. Quote Link to comment Share on other sites More sharing options...
fenway Posted December 23, 2005 Share Posted December 23, 2005 First, you should be cautious of using the PASSWORD() and MD5() functions of MySQL if you're sending the queries over a non-SSL connection -- the unhashed text will appear in thousands on logs! A very bad idea indeed -- PHP has built-in functions for MD5, for example, so you would encode your string in middleware, and then send that value over the network, so you're never exposed. Second, the whole reason that these hashes are used that that they are one-hash way functions, which by definition cannot be "unhashed", since there isn't a one-to-one relationship between (str) and H(str). Third, I hope you have a really good reason for storing the CC numbers! There's rarely a need for it -- and in your reports, you shoudn't be showing the entire card number, either. My recommendation would be store the the first 4 / last 4 digits of the card number in your DB, and use that in the report (e.g. 4500****1234). Why would you need your customer's complete credit card number in a report? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.