neo777ph Posted March 6, 2007 Share Posted March 6, 2007 how to encrypt and decrypt a field value from mysql? i want to encrpt a password coming from my user before i would insert it to the database.. i used ENCRYPT on my sql statement..however when i checked the field..it was empty. please help me on this.. Quote Link to comment Share on other sites More sharing options...
trq Posted March 6, 2007 Share Posted March 6, 2007 Most people use the md5 function, however it cannot be unencypted. This is usually not needed. Quote Link to comment Share on other sites More sharing options...
Orio Posted March 6, 2007 Share Posted March 6, 2007 The best way to deal with passwords is to hash them. Hashing means a one way encryption (IE- it can't be decoded). Then, instead of decrypting the password when you want to compare it to the given one, you hash the given password and compare the two hashes. You can use md5() or sha1() (and there are more functions that calculate different hashes). A great php-hashing tutorial can be found here. If you still insist going on with encryption/decryption (although it takes more resources and is lest secure), go for the mycrypt library Orio. Quote Link to comment Share on other sites More sharing options...
iceman400 Posted March 6, 2007 Share Posted March 6, 2007 also a built-in password encryption in mysql. example: "insert into tablename password('$password') where x=y" Quote Link to comment Share on other sites More sharing options...
trq Posted March 6, 2007 Share Posted March 6, 2007 also a built-in password encryption in mysql. example: "insert into tablename password('$password') where x=y" The mysql password function is not intended to be used in client code. Its an internally used function and is not recommended for use as its algorythm is subject to change between versions. Quote Link to comment Share on other sites More sharing options...
iceman400 Posted March 6, 2007 Share Posted March 6, 2007 bugger! then i have 2 chnge some of my own code...lol Quote Link to comment Share on other sites More sharing options...
mbtaylor Posted March 6, 2007 Share Posted March 6, 2007 Heres a nice mcrypt class for you (mcrypt allows de-encryption). <? /*************************************************************** Data encryption class ***************************************************************/ /* usage example : $encryption = new ubercrypt(); $encryption->$key = "RQ2ByIw4g6u7FqLvtS+Nw1+tCRQaZKNf"; $encryption->$encrypt_text = "secret"; $password = $encryption->encrypt(); echo ("encrypted pass = ".$password."<br />"); echo ($encryption->decrypt($password)); */ class ubercrypt { var $key; var $encrypt_text; var $decrypt_text; function encrypt(){ $key = $this->$key; $input = $this->$encrypt_text; $input = str_replace("\n","",$input);$input = str_replace("\t","",$input);$input = str_replace("\r","",$input); $key = substr(md5($key),0,24); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); mcrypt_generic_init ($td, $key, $iv); $encrypted_data = mcrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop(base64_encode($encrypted_data))); } function decrypt($input){ $key = $this->$key; $input = str_replace("\n","",$input);$input = str_replace("\t","",$input);$input = str_replace("\r","",$input); $input = trim(chop(base64_decode($input))); $td = mcrypt_module_open ('tripledes', '', 'ecb', ''); $key = substr(md5($key),0,24); $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size ($td), MCRYPT_RAND); mcrypt_generic_init ($td, $key, $iv); $decrypted_data = mdecrypt_generic ($td, $input); mcrypt_generic_deinit ($td); mcrypt_module_close ($td); return trim(chop($decrypted_data)); } } ?> Quote Link to comment Share on other sites More sharing options...
neo777ph Posted March 7, 2007 Author Share Posted March 7, 2007 I successfully converted the user input pwd into md5 and inserted it to the db.. this is done by: $pwd = md5($md5); sql = "UPDATE security SET pwd = '$pwd', flagfirst = 1 WHERE idsec='$idsec'"; however, i tried to login and compare the user input pwd to the db..I could not login.. here is my code: ex. $uname = trim($_SESSION['signum'],' '); $pwd = md5(trim($_SESSION['pwd'],' ')); $strsql = "Select * from security where signum='$uname' and pwd = '$pwd' "; //this code is vulnerable to SQL injection..could you also provide Anti - SQL injection techniques for beginners like me. Quote Link to comment Share on other sites More sharing options...
chronister Posted March 7, 2007 Share Posted March 7, 2007 for security run all text form elements through mysql_real_escape_string() e.g $username=mysql_real_escape_string($_POST['username']) Post the code where you define $md5.... if it is a password you don't want to give out... then change the word to password or something, but it will help to see the rest of the code. Quote Link to comment Share on other sites More sharing options...
neo777ph Posted March 7, 2007 Author Share Posted March 7, 2007 Thnx to the code sir.. mysql_real_escape_string below is my code when i convert the pwd inputed by user to md5.. <? $idsec = $_SESSION['idsec']; $pwd1 = $_POST['pwd1']; $pwd2 = $_POST['pwd2']; //echo $idsec.$pwd1 .$pwd2; if ($idsec != '' && $pwd1 != '' && $pwd2 != '') { $pwd1 = md5($pwd1); $pwd2 = md5($pwd2); $strsql = "UPDATE security SET pwd = '$pwd1', flagfirst = 1 WHERE idsec='$idsec'"; mysql_query($strsql); echo "<script>alert('Your Password Was Successful Changed!');window.location='http://mywebsite/index_main.php';</script>"; } ?> If a user log's - in again to my system. how can i do comparison from user pwd form input and the md5 pwd at the db? I tried.. <? $_SESSION['pwd'] = $_POST[pwd]; $uname = trim($_SESSION['signum'],' '); $pwd = md5(trim($_SESSION['pwd'],' ')); $strsql = "Select * from security where signum='$uname' and pwd = '$pwd' "; $result = mysql_query($strsql); ?> //not ok//help. Quote Link to comment Share on other sites More sharing options...
chronister Posted March 7, 2007 Share Posted March 7, 2007 ok... the code looks good to me.. I cannot find any errors offhand. I am still confused as to where the $md5 variable was set. $pwd = md5($md5); sql = "UPDATE security SET pwd = '$pwd', flagfirst = 1 WHERE idsec='$idsec'"; I have to assume that line was typed into the forum by hand and it was simply a typo because in the code you posted, you had no $md5 variable. I would suggest manually comparing the passwords. Open phpmyadmin and look at the password in question. echo the md5(trim($_POST['pwd'])) line and make sure the 2 hashed strings are the same. You are correct in the last part. <?php $_SESSION['pwd'] = $_POST[pwd]; $uname = trim($_SESSION['signum'],' '); $pwd = md5(trim($_SESSION['pwd'],' ')); $strsql = "Select * from security where signum='$uname' and pwd = '$pwd' "; $result = mysql_query($strsql); ?> This is the correct way to authenticate a person. If it is not working then add this line echo mysql_num_rows($result); If this line returns a 0 then it did not find a row with that username and password combination. If it returns 1 then it found that person. Start with that and let us know what becomes of it. Quote Link to comment Share on other sites More sharing options...
neo777ph Posted March 7, 2007 Author Share Posted March 7, 2007 md5 works perfectly..it is my fault.. the lenght pwd field i defined at mysql is only 20..md5 requires 32.. tnx guys! my system is better now.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.