Encrypting password...

adrian_quah

Hey guys,

I wanna get the 'password' encrypted...I am aware that we can use several ways: -

1) Encryption of string as it passes from page to page
2) Field encryptionin database table (e.g. in MySQL)

Can u guys pls explain briefly which method is safer and the pros n cons..Also, how do i go abt implementing the first option...Gracias amigo! thankz..

Btw, hehe...is there a way that the powerful MS SQL has a way to save these passwords (in a field) in encrypted form..thx!

planetsim

I think MS SQL can. Cos Mysql can in any format like text.

Now

I use md5("password here");

to encrypt them.
I dont think theres any cons or pros for any encryption as long as theres no function in php that can decrypt them

Its not impossible to decypt anything thats encrypted but it can be time consuming to find the write combination.

morphy_6deex

with md5 u cant retrieve yr password unless u give a new password to the user...

does mysql has native functions to crypt/decrypt text fields?

adrian_quah

Hey guys, thanks..i think i wont use md5...I may wanna stick to MS SQL's encrytion of the password field..

If u've any tips or pointers on this, pls share with me..Thanks a lot 🙂

adrian_quah

I'm also looking for something like ASP's

PWDENCRYPT and PWDCOMPARE

functions...I can send the password in encrypted form, and later compare it..no need to decrypt it..hehe...sorry for my earlier vague postings.

Any ideas? I wanna hear them...thanks.

adrian_quah

I came accross this statement from the PHP manual:

For passwords just store a md5 of it on the server, then when user trys to login, server compares stored version with md5 of what user is trying to login with.

Can u tell me how this is done...the part where to compare the p/w in the database with the one submitted by user?

adrian_quah

Can u tell me what is wrong with the next piece of code:



// Submitted values of Login and Password
$login = "admin";
$user_submitted_password = "admin";


$user_submitted_password = md5($user_submitted_password);


$result=mysql_query("SELECT * FROM users_login WHERE Login=\"$login\"", $linkID) or die ("Could not perform username query");
$row=mysql_fetch_array($result);

// If username and password matches, perform:
if (($row["Password"]==$user_submitted_password) && ($row["Login"]==$login))
    {
		echo "<hr>Correct Password";
	}
else
	{
		echo "<hr>Try again pal";
	}

[/B]

kinadian

Personally, I use MySQL's Password function. But I don't believe there is much of a difference. In fact, I think the password function performs and MD5 on the passed string. Then all I do is compare the user entered password at login (passing it through the password funciton) with the stored value.

Example:

$uid = $_POST['uid'];
$pwd = $_POST['pwd'];

$query = "SELECT * FROM users WHERE userid = '$uid' AND $userpass = password('$pwd')";

$result = mysql_query($query);
if (!$result) echo "Could not perform query ($query)";

if (mysql_num_rows == 0 ) {
echo "Login failed.  Invalid username or password";
}
else {
echo "Congrats.  Logged In";
}

--kinadian