Jump to content

how to encrypt?


neo777ph

Recommended Posts

The best way to deal with passwords is to hash them. Hashing means a one way encryption (IE- it can't be decoded).

Then, instead of decrypting the password when you want to compare it to the given one, you hash the given password and compare the two hashes.

You can use md5() or sha1() (and there are more functions that calculate different hashes). A great php-hashing tutorial can be found here.

 

If you still insist going on with encryption/decryption (although it takes more resources and is lest secure), go for the mycrypt library :)

 

 

Orio.

Link to comment
https://forums.phpfreaks.com/topic/41432-how-to-encrypt/#findComment-200716
Share on other sites

also a built-in password encryption in mysql. example: "insert into tablename password('$password') where x=y"

 

The mysql password function is not intended to be used in client code. Its an internally used function and is not recommended for use as its algorythm is subject to change between versions.

Link to comment
https://forums.phpfreaks.com/topic/41432-how-to-encrypt/#findComment-200738
Share on other sites

Heres a nice mcrypt class for you (mcrypt allows de-encryption).

 

<?
/***************************************************************
Data encryption class
***************************************************************/
/* usage example : 
$encryption = new ubercrypt();
$encryption->$key = "RQ2ByIw4g6u7FqLvtS+Nw1+tCRQaZKNf";
$encryption->$encrypt_text = "secret";
$password = $encryption->encrypt();
echo ("encrypted pass = ".$password."<br />");
echo ($encryption->decrypt($password));
*/
class ubercrypt {
var $key;
var $encrypt_text;		
var $decrypt_text;		
function encrypt(){
          $key = $this->$key;
          $input = $this->$encrypt_text;			
          $input = str_replace("\n","",$input);$input = str_replace("\t","",$input);$input = str_replace("\r","",$input);
          $key = substr(md5($key),0,24);
          $td = mcrypt_module_open ('tripledes', '', 'ecb', '');
          $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
          mcrypt_generic_init ($td, $key, $iv);
          $encrypted_data = mcrypt_generic ($td, $input);
          mcrypt_generic_deinit ($td);
          mcrypt_module_close ($td);
          return trim(chop(base64_encode($encrypted_data)));
}
function decrypt($input){
          $key = $this->$key;
          $input = str_replace("\n","",$input);$input = str_replace("\t","",$input);$input = str_replace("\r","",$input);
          $input = trim(chop(base64_decode($input)));
          $td = mcrypt_module_open ('tripledes', '', 'ecb', '');
          $key = substr(md5($key),0,24);
          $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND);
          mcrypt_generic_init ($td, $key, $iv);
          $decrypted_data = mdecrypt_generic ($td, $input);
          mcrypt_generic_deinit ($td);
          mcrypt_module_close ($td);
          return trim(chop($decrypted_data));
     } 	
}
?>

Link to comment
https://forums.phpfreaks.com/topic/41432-how-to-encrypt/#findComment-200832
Share on other sites

I successfully converted the user input pwd into md5 and inserted it to the db..

this is done by:

$pwd = md5($md5);

sql = "UPDATE security SET pwd = '$pwd', flagfirst = 1 WHERE idsec='$idsec'";

 

 

 

however, i tried to login and compare the user input pwd to the db..I could not login..

here is my code:

ex.

 

$uname = trim($_SESSION['signum'],' ');

$pwd = md5(trim($_SESSION['pwd'],' '));

 

$strsql = "Select * from security where signum='$uname' and pwd = '$pwd' ";

 

//this code is vulnerable to SQL injection..could you also provide Anti - SQL injection techniques for beginners like me.

Link to comment
https://forums.phpfreaks.com/topic/41432-how-to-encrypt/#findComment-201414
Share on other sites

for security run all text form elements through mysql_real_escape_string() e.g

 

$username=mysql_real_escape_string($_POST['username'])

 

 

Post the code where you define $md5.... if it is a password you don't want to give out... then change the word to password or something, but it will help to see the rest of the code.

Link to comment
https://forums.phpfreaks.com/topic/41432-how-to-encrypt/#findComment-201443
Share on other sites

Thnx to the code sir.. mysql_real_escape_string

below is my code when i convert the pwd inputed by user to md5..

<?

$idsec = $_SESSION['idsec'];

$pwd1 = $_POST['pwd1'];

$pwd2 = $_POST['pwd2'];

//echo $idsec.$pwd1 .$pwd2;

if ($idsec != '' && $pwd1 != '' && $pwd2 != '')

{

$pwd1 = md5($pwd1);

$pwd2 = md5($pwd2);

$strsql = "UPDATE security SET pwd = '$pwd1', flagfirst = 1 WHERE idsec='$idsec'";

mysql_query($strsql);

echo "<script>alert('Your Password Was Successful Changed!');window.location='http://mywebsite/index_main.php';</script>";

}

?>

If a user log's - in again to my system. how can i do comparison from user pwd form input and the md5 pwd at the db?

I tried..

<?

$_SESSION['pwd'] = $_POST[pwd];

$uname = trim($_SESSION['signum'],' ');

$pwd = md5(trim($_SESSION['pwd'],' '));

 

$strsql = "Select * from security where signum='$uname' and pwd = '$pwd' ";

$result = mysql_query($strsql);

?> //not ok//help.

Link to comment
https://forums.phpfreaks.com/topic/41432-how-to-encrypt/#findComment-201462
Share on other sites

ok... the code looks good to me.. I cannot find any errors offhand. I am still confused as to where the $md5 variable was set.

 

$pwd = md5($md5);

sql = "UPDATE security SET pwd = '$pwd', flagfirst = 1 WHERE idsec='$idsec'";

 

I have to assume that line was typed into the forum by hand and it was simply a typo because in the code you posted, you had no $md5 variable.

 

 

I would suggest manually comparing the passwords. Open phpmyadmin and look at the password in question.

 

echo the md5(trim($_POST['pwd'])) line and make sure the 2 hashed strings are the same.

 

You are correct in the last part.

 

<?php
$_SESSION['pwd'] = $_POST[pwd];
$uname = trim($_SESSION['signum'],' ');
$pwd = md5(trim($_SESSION['pwd'],' '));

$strsql = "Select * from security where signum='$uname' and pwd = '$pwd' ";
$result = mysql_query($strsql);
?>

 

 

This is the correct way to authenticate a person. If it is not working then add this line

 

echo mysql_num_rows($result);

 

 

If this line returns a 0 then it did not find a row with that username and password combination. If it returns 1 then it found that person.

 

Start with that and let us know what becomes of it.

 

 

Link to comment
https://forums.phpfreaks.com/topic/41432-how-to-encrypt/#findComment-201476
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.