Jump to content


Photo

password - how to UN-Hash?


  • Please log in to reply
4 replies to this topic

#1 uswebproFreak

uswebproFreak
  • Members
  • Pip
  • Newbie
  • 2 posts

Posted 16 December 2005 - 02:27 AM

Hey I found out how to hash text when inserting:

INSERT INTO tablename (fieldname, other_fieldname) VALUES (password('secret_stuff'), 'other_data')


'secret_stuff' is changed to: 2d7510136b7a8a7e how do I un-hash it, so I can use the info?



#2 neomicron

neomicron
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 17 December 2005 - 01:16 PM

[!--quoteo(post=327816:date=Dec 15 2005, 08:27 PM:name=uswebproFreak)--][div class=\'quotetop\']QUOTE(uswebproFreak @ Dec 15 2005, 08:27 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Hey I found out how to hash text when inserting:

INSERT INTO tablename (fieldname, other_fieldname) VALUES (password('secret_stuff'), 'other_data')
'secret_stuff' is changed to: 2d7510136b7a8a7e how do I un-hash it, so I can use the info?
[/quote]

Often times a hash is stored for passwords and other information to be verified againt the user input. In your case, rather than un-hasing the password field, try something like this:

$pw = $_POST['password']; //get the password the user entered into our site
$user = $_POST['username'];
$sql = "SELECT * FROM `accounts` WHERE `username` = '".$user."' AND `password` = password(".$pw.");";

Execute this query and it will return information if the usernames match. Now, this is a pretty bad example (sql injection among other things) but it is just to show a point.

Rather than trying to un-hash your database values to compare to user input, just hash the user input and see if they match.

i.e.
$userinput = "test";
md5("test") = md5($userinput);

will return as true


#3 uswebproFreak

uswebproFreak
  • Members
  • Pip
  • Newbie
  • 2 posts

Posted 17 December 2005 - 09:48 PM

I told me hosting company I'm storing CC (credit card) info in my database.
they said I should encrpt it first.

You didn't really answer my question.

Can I use the password function to hash a CC # then later unhash it to use it in a report

#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 20 December 2005 - 11:20 AM

If you are storing CC information I would recommend you to find a host that provides SSL (Secure Socket Layer), unless your host currently does as this encrypts the data sent and recivied form the server. Otherwise if a hacker hacks into your database and find CC info then you customers aren't going to very happy!

Also when you use md5 or password function for that matter you cant decrypt these, although you can with bruet force.

#5 fenway

fenway
  • Staff Alumni
  • MySQL Si-Fu / PHP Resident Alien
  • 16,199 posts
  • LocationToronto, ON

Posted 23 December 2005 - 10:17 PM

First, you should be cautious of using the PASSWORD() and MD5() functions of MySQL if you're sending the queries over a non-SSL connection -- the unhashed text will appear in thousands on logs! A very bad idea indeed -- PHP has built-in functions for MD5, for example, so you would encode your string in middleware, and then send that value over the network, so you're never exposed.

Second, the whole reason that these hashes are used that that they are one-hash way functions, which by definition cannot be "unhashed", since there isn't a one-to-one relationship between (str) and H(str).

Third, I hope you have a really good reason for storing the CC numbers! There's rarely a need for it -- and in your reports, you shoudn't be showing the entire card number, either. My recommendation would be store the the first 4 / last 4 digits of the card number in your DB, and use that in the report (e.g. 4500****1234). Why would you need your customer's complete credit card number in a report?
Seriously... if people don't start reading this before posting, I'm going to consider not answering at all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users