Jump to content

password - how to UN-Hash?


uswebproFreak

Recommended Posts

[!--quoteo(post=327816:date=Dec 15 2005, 08:27 PM:name=uswebproFreak)--][div class=\'quotetop\']QUOTE(uswebproFreak @ Dec 15 2005, 08:27 PM) 327816[/snapback][/div][div class=\'quotemain\'][!--quotec--]

Hey I found out how to hash text when inserting:

 

INSERT INTO tablename (fieldname, other_fieldname) VALUES (password('secret_stuff'), 'other_data')

'secret_stuff' is changed to: 2d7510136b7a8a7e how do I un-hash it, so I can use the info?

 

Often times a hash is stored for passwords and other information to be verified againt the user input. In your case, rather than un-hasing the password field, try something like this:

 

$pw = $_POST['password']; //get the password the user entered into our site

$user = $_POST['username'];

$sql = "SELECT * FROM `accounts` WHERE `username` = '".$user."' AND `password` = password(".$pw.");";

 

Execute this query and it will return information if the usernames match. Now, this is a pretty bad example (sql injection among other things) but it is just to show a point.

 

Rather than trying to un-hash your database values to compare to user input, just hash the user input and see if they match.

 

i.e.

$userinput = "test";

md5("test") = md5($userinput);

 

will return as true

 

Link to comment
Share on other sites

If you are storing CC information I would recommend you to find a host that provides SSL (Secure Socket Layer), unless your host currently does as this encrypts the data sent and recivied form the server. Otherwise if a hacker hacks into your database and find CC info then you customers aren't going to very happy!

 

Also when you use md5 or password function for that matter you cant decrypt these, although you can with bruet force.

Link to comment
Share on other sites

First, you should be cautious of using the PASSWORD() and MD5() functions of MySQL if you're sending the queries over a non-SSL connection -- the unhashed text will appear in thousands on logs! A very bad idea indeed -- PHP has built-in functions for MD5, for example, so you would encode your string in middleware, and then send that value over the network, so you're never exposed.

 

Second, the whole reason that these hashes are used that that they are one-hash way functions, which by definition cannot be "unhashed", since there isn't a one-to-one relationship between (str) and H(str).

 

Third, I hope you have a really good reason for storing the CC numbers! There's rarely a need for it -- and in your reports, you shoudn't be showing the entire card number, either. My recommendation would be store the the first 4 / last 4 digits of the card number in your DB, and use that in the report (e.g. 4500****1234). Why would you need your customer's complete credit card number in a report?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.