Solarpitch Posted June 2, 2007 Share Posted June 2, 2007 Hey, I use md5 to store password in the database. I have a script that sends a user his password via a mail if they forgot it. However it sends the 32 bit encrypted value as I am using... //... Connect to db ... $query = "select * from members where email = '$email_to'"; $result = mysqli_query( $mysql, $query ); if(!$result) { $message = 'Cannot run query.'; exit; } //$row = mysqli_fetch_row( $result ); $count = mysqli_num_rows($result); if ( $count > 0 ){ $rows=mysqli_fetch_array($result); $your_password = $rows['user_password']; $your_username = $rows['username']; // Send mail form... Is there anyway to return the user's "real" password from the database and store it in $your_password rather than it retrieving the 32bit encryption? Quote Link to comment Share on other sites More sharing options...
chigley Posted June 2, 2007 Share Posted June 2, 2007 That's not really possible. MD5 is a one way decryption, so you either use MD5 and send them an email with a link to reset their password, or you store the passwords in plain text and the script is insecure. Quote Link to comment Share on other sites More sharing options...
Timma Posted June 2, 2007 Share Posted June 2, 2007 Just need to find a nice secretive place to hide the real passwords. Quote Link to comment Share on other sites More sharing options...
taith Posted June 2, 2007 Share Posted June 2, 2007 yup! md5() is "not" decyrptable... well... not in any standard method... lol Quote Link to comment Share on other sites More sharing options...
Timma Posted June 2, 2007 Share Posted June 2, 2007 It's a hash, so if you wanted to decrypt it you would have to make some hash dictionaries to attempt finding the password, but then you might not even find the password. As hash dictionaries only work for simple ones. Quote Link to comment Share on other sites More sharing options...
Solarpitch Posted June 2, 2007 Author Share Posted June 2, 2007 Ummm . . ok, well I think the "change password" option will probably be the best. Or . . just get them to log in with their 32bit encrypted password, that would be fun! Quote Link to comment Share on other sites More sharing options...
per1os Posted June 2, 2007 Share Posted June 2, 2007 Yea, most sites run where if you forget your password you just get a new one sent to you and the old one is just trashed. There is a way to get an md5 like encryption and be able to decrypt it. I think it is in the usercomments at www.php.net/md5 Alexander Valyalkin 30-Jun-2004 01:41 Below is MD5-based block cypher (MDC-like), which works in 128bit CFB mode. It is very useful to encrypt secret data before transfer it over the network. $iv_len - initialization vector's length. 0 <= $iv_len <= 512 <?php function get_rnd_iv($iv_len) { $iv = ''; while ($iv_len-- > 0) { $iv .= chr(mt_rand() & 0xff); } return $iv; } function md5_encrypt($plain_text, $password, $iv_len = 16) { $plain_text .= "\x13"; $n = strlen($plain_text); if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16)); $i = 0; $enc_text = get_rnd_iv($iv_len); $iv = substr($password ^ $enc_text, 0, 512); while ($i < $n) { $block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv)); $enc_text .= $block; $iv = substr($block . $iv, 0, 512) ^ $password; $i += 16; } return base64_encode($enc_text); } function md5_decrypt($enc_text, $password, $iv_len = 16) { $enc_text = base64_decode($enc_text); $n = strlen($enc_text); $i = $iv_len; $plain_text = ''; $iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512); while ($i < $n) { $block = substr($enc_text, $i, 16); $plain_text .= $block ^ pack('H*', md5($iv)); $iv = substr($block . $iv, 0, 512) ^ $password; $i += 16; } return preg_replace('/\\x13\\x00*$/', '', $plain_text); } /******************************************/ $plain_text = 'very secret string'; $password = 'very secret password'; echo "plain text is: [${plain_text}]<br />\n"; echo "password is: [${password}]<br />\n"; $enc_text = md5_encrypt($plain_text, $password); echo "encrypted text is: [${enc_text}]<br />\n"; $plain_text2 = md5_decrypt($enc_text, $password); echo "decrypted text is: [${plain_text2}]<br />\n"; ?> Quote Link to comment Share on other sites More sharing options...
taith Posted June 2, 2007 Share Posted June 2, 2007 ya... thats... not md5... every time you refresh it, it gives you a new hash... and it doesnt work, if you dont put the origional text in... Quote Link to comment Share on other sites More sharing options...
per1os Posted June 2, 2007 Share Posted June 2, 2007 Nope you miss-read the function. The $password is sort of like the "salt" you use that and it is secret to the site so no one else can take the hash and use this function to decrypt it. =) Quote Link to comment Share on other sites More sharing options...
taith Posted June 2, 2007 Share Posted June 2, 2007 ya... but it doesnt keep the same hash every time you refresh... which is 100% useless for testing passwords... lol ok... think i found a use for it... perhapss... licencing? so you install on one server, goes to your sever, checks to make sure licence is valid, then will install... but not for passwords... Quote Link to comment Share on other sites More sharing options...
per1os Posted June 2, 2007 Share Posted June 2, 2007 Not necessarily. Remember you can decrypt it. <?php session_start(); function get_rnd_iv($iv_len) { $iv = ''; while ($iv_len-- > 0) { $iv .= chr(mt_rand() & 0xff); } return $iv; } function md5_encrypt($plain_text, $password, $iv_len = 16) { $plain_text .= "\x13"; $n = strlen($plain_text); if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16)); $i = 0; $enc_text = get_rnd_iv($iv_len); $iv = substr($password ^ $enc_text, 0, 512); while ($i < $n) { $block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv)); $enc_text .= $block; $iv = substr($block . $iv, 0, 512) ^ $password; $i += 16; } return base64_encode($enc_text); } function md5_decrypt($enc_text, $password, $iv_len = 16) { $enc_text = base64_decode($enc_text); $n = strlen($enc_text); $i = $iv_len; $plain_text = ''; $iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512); while ($i < $n) { $block = substr($enc_text, $i, 16); $plain_text .= $block ^ pack('H*', md5($iv)); $iv = substr($block . $iv, 0, 512) ^ $password; $i += 16; } return preg_replace('/\\x13\\x00*$/', '', $plain_text); } /******************************************/ $plain_text = 'very secret string'; $password = 'very secret password'; echo "plain text is: [${plain_text}] \n"; echo "password is: [${password}] \n"; $enc_text = md5_encrypt($plain_text, $password); echo "encrypted text is: [${enc_text}] \n"; if (!isset($_SESSION['enc'])) { $_SESSION['enc'] = $enc_text; }else { $plain_text2 = md5_decrypt($_SESSION['enc'], $password); echo "decrypted text is: [${plain_text2}] \n"; } ?> Meaning that anytime a user enters their login/password on the form, you just have to decrypt the hash from the database to check against the password. An extra step, yes but if you want to have decryption functionality that is how it has to be done. Anyhow, it works just may not be the securest but allows for decryption functionality while also providing a tougher encryption method than just the base64 alone. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.