how to encrypt?

[neo777ph]

how to encrypt and decrypt a field value from mysql?

 

i want to encrpt a password coming from my user before i would insert it to the database..

 

i used ENCRYPT on my sql statement..however when i checked the field..it was empty.

 

please help me on this..

[trq]

Most people use the md5 function, however it cannot be unencypted. This is usually not needed.

[Orio]

The best way to deal with passwords is to hash them. Hashing means a one way encryption (IE- it can't be decoded).

Then, instead of decrypting the password when you want to compare it to the given one, you hash the given password and compare the two hashes.

You can use md5() or sha1() (and there are more functions that calculate different hashes). A great php-hashing tutorial can be found here.

 

If you still insist going on with encryption/decryption (although it takes more resources and is lest secure), go for the mycrypt library

 

 

Orio.

[iceman400]

also a built-in password encryption in mysql. example: "insert into tablename password('$password') where x=y"

[trq]

also a built-in password encryption in mysql. example: "insert into tablename password('$password') where x=y"

 

The mysql password function is not intended to be used in client code. Its an internally used function and is not recommended for use as its algorythm is subject to change between versions.

[iceman400]

bugger! then i have 2 chnge some of my own code...lol

[mbtaylor]

Heres a nice mcrypt class for you (mcrypt allows de-encryption).

 

<?
/***************************************************************
Data encryption class
***************************************************************/
/* usage example : 
$encryption = new ubercrypt();
$encryption->$key = "RQ2ByIw4g6u7FqLvtS+Nw1+tCRQaZKNf";
$encryption->$encrypt_text = "secret";
$password = $encryption->encrypt();
echo ("encrypted pass = ".$password."<br />");
echo ($encryption->decrypt($password));
*/
class ubercrypt {
var $key;
var $encrypt_text;		
var $decrypt_text;		
function encrypt(){
          $key = $this->$key;
          $input = $this->$encrypt_text;			
          $input = str_replace("\n","",$input);$input = str_replace("\t","",$input);$input = str_replace("\r","",$input);
          $key = substr(md5($key),0,24);
          $td = mcrypt_module_open ('tripledes', '', 'ecb', '');
          $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
          mcrypt_generic_init ($td, $key, $iv);
          $encrypted_data = mcrypt_generic ($td, $input);
          mcrypt_generic_deinit ($td);
          mcrypt_module_close ($td);
          return trim(chop(base64_encode($encrypted_data)));
}
function decrypt($input){
          $key = $this->$key;
          $input = str_replace("\n","",$input);$input = str_replace("\t","",$input);$input = str_replace("\r","",$input);
          $input = trim(chop(base64_decode($input)));
          $td = mcrypt_module_open ('tripledes', '', 'ecb', '');
          $key = substr(md5($key),0,24);
          $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
          mcrypt_generic_init ($td, $key, $iv);
          $decrypted_data = mdecrypt_generic ($td, $input);
          mcrypt_generic_deinit ($td);
          mcrypt_module_close ($td);
          return trim(chop($decrypted_data));
     } 	
}
?>

[neo777ph]

I successfully converted the user input pwd into md5 and inserted it to the db..

this is done by:

$pwd = md5($md5);

sql = "UPDATE security SET pwd = '$pwd', flagfirst = 1 WHERE idsec='$idsec'";

 

 

 

however, i tried to login and compare the user input pwd to the db..I could not login..

here is my code:

ex.

 

$uname = trim($_SESSION['signum'],' ');

$pwd = md5(trim($_SESSION['pwd'],' '));

 

$strsql = "Select * from security where signum='$uname' and pwd = '$pwd' ";

 

//this code is vulnerable to SQL injection..could you also provide Anti - SQL injection techniques for beginners like me.

[chronister]

for security run all text form elements through mysql_real_escape_string() e.g

 

$username=mysql_real_escape_string($_POST['username'])

 

 

Post the code where you define $md5.... if it is a password you don't want to give out... then change the word to password or something, but it will help to see the rest of the code.

[neo777ph]

Thnx to the code sir.. mysql_real_escape_string

below is my code when i convert the pwd inputed by user to md5..

<?

$idsec = $_SESSION['idsec'];

$pwd1 = $_POST['pwd1'];

$pwd2 = $_POST['pwd2'];

//echo $idsec.$pwd1 .$pwd2;

if ($idsec != '' && $pwd1 != '' && $pwd2 != '')

{

$pwd1 = md5($pwd1);

$pwd2 = md5($pwd2);

$strsql = "UPDATE security SET pwd = '$pwd1', flagfirst = 1 WHERE idsec='$idsec'";

mysql_query($strsql);

echo "<script>alert('Your Password Was Successful Changed!');window.location='http://mywebsite/index_main.php';</script>";

}

?>

If a user log's - in again to my system. how can i do comparison from user pwd form input and the md5 pwd at the db?

I tried..

<?

$_SESSION['pwd'] = $_POST[pwd];

$uname = trim($_SESSION['signum'],' ');

$pwd = md5(trim($_SESSION['pwd'],' '));

 

$strsql = "Select * from security where signum='$uname' and pwd = '$pwd' ";

$result = mysql_query($strsql);

?> //not ok//help.

[chronister]

ok... the code looks good to me.. I cannot find any errors offhand. I am still confused as to where the $md5 variable was set.

 

$pwd = md5($md5);

sql = "UPDATE security SET pwd = '$pwd', flagfirst = 1 WHERE idsec='$idsec'";

 

I have to assume that line was typed into the forum by hand and it was simply a typo because in the code you posted, you had no $md5 variable.

 

 

I would suggest manually comparing the passwords. Open phpmyadmin and look at the password in question.

 

echo the md5(trim($_POST['pwd'])) line and make sure the 2 hashed strings are the same.

 

You are correct in the last part.

 

<?php
$_SESSION['pwd'] = $_POST[pwd];
$uname = trim($_SESSION['signum'],' ');
$pwd = md5(trim($_SESSION['pwd'],' '));

$strsql = "Select * from security where signum='$uname' and pwd = '$pwd' ";
$result = mysql_query($strsql);
?>

 

 

This is the correct way to authenticate a person. If it is not working then add this line

 

echo mysql_num_rows($result);

 

 

If this line returns a 0 then it did not find a row with that username and password combination. If it returns 1 then it found that person.

 

Start with that and let us know what becomes of it.

 

 

[neo777ph]

md5 works perfectly..it is my fault.. the lenght pwd field i defined at mysql is only 20..md5 requires 32..

tnx guys!

 

my system is better now..