cooldude832 Posted June 4, 2007 Share Posted June 4, 2007 I'm wanting to one way encrypt passwords users enter into my database using the crypt(); function. However as I read tutorial after tutorial i'm very confused on the syntax of using a salt to ensure you get the same results both ways. After reading a bit I think baublefish is the best encryption method, but how do I actually write it out. $password = $_REQUEST['password']; $cryptpassword = crypt($password,??????????); Quote Link to comment Share on other sites More sharing options...
per1os Posted June 4, 2007 Share Posted June 4, 2007 I would use www.php.net/md5 if I were you. Look at the user comments for some good ways to create nice hashes. www.php.net/crypt those user comments may have some suggestions too. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted June 4, 2007 Author Share Posted June 4, 2007 so i have to develop my own hash? or are there pre built ones? Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted June 4, 2007 Share Posted June 4, 2007 what you need is md5 or sha1 (the latter being my prefered option); beaten to it because of coffe in one hand grrrr Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted June 4, 2007 Author Share Posted June 4, 2007 so sha1 doesn't require a user salt added i can just say: $password = sha1($_REQUEST['password']); and then compare $sql "SELECT * FROM USERS WHERE Password = '$password'"; is it secure to passs the password with POST or is there some encryption I should include on my form? Quote Link to comment Share on other sites More sharing options...
per1os Posted June 4, 2007 Share Posted June 4, 2007 With md5 your could would look like this: <?php $password = $_REQUEST['password']; $cryptpassword = md5($password); Simple as that. Quote Link to comment Share on other sites More sharing options...
per1os Posted June 4, 2007 Share Posted June 4, 2007 so sha1 doesn't require a user salt added i can just say: $password = sha1($_REQUEST['password']); and then compare $sql "SELECT * FROM USERS WHERE Password = '$password'"; is it secure to passs the password with POST or is there some encryption I should include on my form? Secure enough as long as you aren't passing credit card information, than you would want an SSH server which would encrypt the data anyhow. But yea, just do not store the un-encrypted password in the session or the cookie. Anytime you reference that password in code it should be verifying it with the encrypted version, do that and you will be alright. Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted June 4, 2007 Author Share Posted June 4, 2007 I'm using 1 way into the table and then if a recovery is needed i have a function that generates a random alphanumeric 6 character phrase that it will reset the password to and the email it to the user. Quote Link to comment Share on other sites More sharing options...
per1os Posted June 4, 2007 Share Posted June 4, 2007 Sounds secure enough, thats the way my site is setup. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.