Jump to content

Archived

This topic is now archived and is closed to further replies.

uswebproFreak

password - how to UN-Hash?

Recommended Posts

Hey I found out how to hash text when inserting:

 

INSERT INTO tablename (fieldname, other_fieldname) VALUES (password('secret_stuff'), 'other_data')

 

 

'secret_stuff' is changed to: 2d7510136b7a8a7e how do I un-hash it, so I can use the info?

 

 

Share this post


Link to post
Share on other sites

[!--quoteo(post=327816:date=Dec 15 2005, 08:27 PM:name=uswebproFreak)--][div class=\'quotetop\']QUOTE(uswebproFreak @ Dec 15 2005, 08:27 PM) 327816[/snapback][/div][div class=\'quotemain\'][!--quotec--]

Hey I found out how to hash text when inserting:

 

INSERT INTO tablename (fieldname, other_fieldname) VALUES (password('secret_stuff'), 'other_data')

'secret_stuff' is changed to: 2d7510136b7a8a7e how do I un-hash it, so I can use the info?

 

Often times a hash is stored for passwords and other information to be verified againt the user input. In your case, rather than un-hasing the password field, try something like this:

 

$pw = $_POST['password']; //get the password the user entered into our site

$user = $_POST['username'];

$sql = "SELECT * FROM `accounts` WHERE `username` = '".$user."' AND `password` = password(".$pw.");";

 

Execute this query and it will return information if the usernames match. Now, this is a pretty bad example (sql injection among other things) but it is just to show a point.

 

Rather than trying to un-hash your database values to compare to user input, just hash the user input and see if they match.

 

i.e.

$userinput = "test";

md5("test") = md5($userinput);

 

will return as true

 

Share this post


Link to post
Share on other sites

I told me hosting company I'm storing CC (credit card) info in my database.

they said I should encrpt it first.

 

You didn't really answer my question.

 

Can I use the password function to hash a CC # then later unhash it to use it in a report

Share this post


Link to post
Share on other sites

If you are storing CC information I would recommend you to find a host that provides SSL (Secure Socket Layer), unless your host currently does as this encrypts the data sent and recivied form the server. Otherwise if a hacker hacks into your database and find CC info then you customers aren't going to very happy!

 

Also when you use md5 or password function for that matter you cant decrypt these, although you can with bruet force.

Share this post


Link to post
Share on other sites

First, you should be cautious of using the PASSWORD() and MD5() functions of MySQL if you're sending the queries over a non-SSL connection -- the unhashed text will appear in thousands on logs! A very bad idea indeed -- PHP has built-in functions for MD5, for example, so you would encode your string in middleware, and then send that value over the network, so you're never exposed.

 

Second, the whole reason that these hashes are used that that they are one-hash way functions, which by definition cannot be "unhashed", since there isn't a one-to-one relationship between (str) and H(str).

 

Third, I hope you have a really good reason for storing the CC numbers! There's rarely a need for it -- and in your reports, you shoudn't be showing the entire card number, either. My recommendation would be store the the first 4 / last 4 digits of the card number in your DB, and use that in the report (e.g. 4500****1234). Why would you need your customer's complete credit card number in a report?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.