I am building a user and administrator authorization system and when the user signs up, when they create a password, I want the password to become encrypted. Also, the password is being stored in MySQL and later on when the user logs in, I want to be able to call from MySQL and decrypt the password (so i can compare the users input password and the given one in the database so they can gain access to their account).

So basiclly i want to encrypt, stick in MySQL, call from MySQL, decrypt, compare, user is gets access or no access to their account.

    You don't need to decrypt the password, just encrypt it and compare it to the encrypted value stored in the database! I did this using PHP's MD5() function. MD5() produces a 32 character encrypted string.

    I stored it in a MySQL in a varchar(35). When I want to compare values I encrypt the new value and compare it to what's in the database.

    $encrypted = MD5("passwd");
    $fromdb = "result from db";

    if ($encrypted == $fromdb) {
    authentication stuff here!!
    }

    HTH,

    Rodney

      duh, that makes things easier, thanx.

        you don't have to decrypt once encrypted password. you may just compare them.

        $usr_registration_pass="secret";
        $your_pass="top secret";

        use md5() function to create a hash:
        $usr_pass=md5($usr_registration_pass.$your_pass);
        and store it in the DB

        when user attemps to login, you retrieve $usr_pass (looks like: da89f1c82799a57b9b5c3d1f8ca9da5a) and create a new hash to compare it:
        $is_usr=md5($entered_pass.$your_pass);
        and check:
        if($usr_pass==$is_usr)login();
        else try_again();

          You may want to think about having a java script (client side) to encrypt the password . If not, when you submit the password to the server via php (server side), it's transmited clear text...kind of defeats the purpose of encrypting a password. I used a js that used the md5 algorithm. Here's the structure I used.

          Page loads with JS
          User enters username and password
          User hits submit
          JS reads the password field.value
          JS converts the password to a hash
          HS places the hash as the field.value
          If successful, has is sent to server.
          values are compared and authentication is granted.

          You could get a lot more detailed by unencrypting it on the server, then re-encrypt it with another algorithm which the passwords in the are encrypted with...Or even better use a PKI system!

            Just to add the reason peio has inserted the variable $your_pass into the md5 function argument list...

            MD5 is no more secure from brute force attacks than the crypt function, you can take a dictionary list, and run md5() over each word, and compare it to the encrypted string.. However, by adding an additional string of characters to the end of the users password, you effectively remove the chance a brute force attacker may have if they have a copy of your user's passwords.

            However, once you use an additional string of characters in an md5 hash, you can NOT change that additional string later, because passwords will be completely different later on...

            eg:

            $userpass = 'helloworld';
            $hash = 'thehash';

            $encpass = md5($userpass.$hash);

            //$encpass = e12b7d5447d8363a636212e3ab6874eb

            so you would store e12b7d5447d8363a636212e3ab6874eb in the database...

            however, if you later change the $hash variable to ANYTHING else, eg

            $userpass = 'helloworld';
            $hash = 'oopsichangedthehash';

            $encpass = md5($userpass.$hash);

            //$encpass = 798299d8b01915ec5a1e2b76442d7747

            even though you may think it would still work, the store password is
            e12b7d5447d8363a636212e3ab6874eb

            yet the one php is providing to mysql is 798299d8b01915ec5a1e2b76442d7747

            if you ever change your $hash variable, you need to generate a new password for every single user, and then mail them the new password

            Sorry for the long winded post.

              it's also worth mentioning that you can't retrieve the original user password. so if a user claims to have lost his password, you have to generate a new one and send it to him and a corespoding database entry should be made

                PHP's MD5() does not defeat the purpose of encrypting a password. It's just not made to transmitt an encrypted password. Of course if you are using a secure connection you don't have to worry, because everything you transmitt is encrypted. : ) The benefit of using MD5() or another PHP encryption function is it's easy. Also it will prevent unwanted persons from viewing OPP (other peoples' passwords), if they happen to crack into your database.

                  That might be something to consider if you're worried about bruce force attacks. I wrote a script to block accounts access if they show "excessive activity". The user is notified and must contact me and explain if they wish to regain access.
                  MD5() is just one example. You could also use mcrypt_ecb() or one of several PHP encryption functions that help eliminate this.

                    Write a Reply...