using md5

rtown

I have found a good login script that I plan to use, but the only problem is that there is no password encryption. I have heard about md5 to encrypt, but not to sure as to how I would incorporate it in my script. My site isn't hazardous if hacked, but still a little security would be nice...any info on using this function would be appreciated.

stolzyboy

i prefer using the password() function of mysql, they say it CAN'T be decrypted

rcook

md5 is a better choice than the MySQL password() function. Even the MySQL docs say so. 🙂

You need to create a CHAR(32) field for your passwords in your user table. Then, when adding a new user, store the md5 of the plain text password in the database. When a user is trying to log in, md5 the plain text password the user entered and compare it to the stored md5 password in the database. If they match, then log the user in.

mwdrago

I was trying to user password() for my user auth but it wasn't working, so I tried md5 and it's working. Having a 32 character field in my mySQL db isn't something I like doing though. This is my first website with php/mysql, I hope the DB can handle all the info.

rcook

MySQL can handle tables up to 2GB and larger. How many users are you expecting? 🙂

32 bytes usually isn't something to worry about. I assume that you are letting the users pick a username? And are recording their email address? See, 32 bytes goes by very quickly, and I wouldn't worry about it. There are bigger issues with a website than the size of the password field.

mwdrago

that's good to know. I don't really have many fields that users could fill up with tons of info. Really the longest ones are just for URLs.

stolzyboy

the only reason i know of that they don't suggest using password() is cuz you can't decrypt it, but if you have another method of giving out passwords if a user looses you won't have a problem, i have used it numerous times, the only thing you have to be aware of is that you can't limit the field size of the varchar to be too small, even if you type blah for the password it will be stored as djdso348509whbasodfjh or something, so if you have varchar(8), that won't work

rtown

the only thing that I am looking for, either method, is to store the password in an encrypted variable, and be able to compare that encrypted password to the one that is entered on the login script. I think that I have seen the md5 one used, not the password(), but I can't remember where I saw the example so if anyone has any links or tutorials or anything that they could recommend, that would be awesome....

thanks again for the reply

stolzyboy

its pretty simple, replace the md5() with password() in respective places in your script and thats it