Encrypt Password

treeleaf20

If I have a password field in a MySQL database administered by PhpMyAdmin and they type of the field is password, how do I encrypt the password from the form the user enters the password in the application so that it matches the password field in the database? I hope that made sense. An example would be:

MySQL password field = 12saqjjDho2034
User entered in form = password

How would I encrypt password to equal the 12saqjjDho2034 that is stored in mySQL?

Thanks for any help.

When you post the password to the verification page would you do md5($_POST['password']?

Sayian

If the password is stored in MYSQL Encrypted using MD5() , then to validate it against a form you would need to do somthing like this

$password = $_POST['password'];
$password = md5($password);

Now your $password variable is Md5 Encrypted , ready for you to check it against the database.

treeleaf20

Is that how mySQL encrypts the password when you select the field type as password? I mean using MD5 or does it use another method??

Thanks.

drew010

it looks like the mysql password function. but im not sure since putting 'password' to it results in a different string. its not md5 since md5 is 32 characters 0-9A-F.
try "SELECT PASSWORD('YOURPASSWORD')" and see if it matches.

http://dev.mysql.com/doc/mysql/en/encryption-functions.html

treeleaf20

So are you saying you don't believe that the password field type in mySQL uses md5?

drew010

the password field type in mysql doesnt use md5.

Sayian

Drew is right , That was my mistake , it is NOT MD5 , it is Password ... Well , it looks like password , so just change md5 to password like this

$password = $_POST['password'];
$password = password($password);

Now $password will be encrypted with password() and NOT md5()

drew010

password is a mysql function though, not php so the only way to do it is directly in your sql statement.

$query = "SELECT * FROM users WHERE username = '$user' AND pass = PASSWORD('$pass')";
or
$query = "INSERT INTO users VALUES('$username', PASSWORD('$password'))";

Sayian

Didnt know that , thanks.

Treeleaf , in the future id recommend using php's MD5() Function , as this is Much More secure then password().

If security is your concern , you could even use a stronger function for encryption , sha1()

Just to let you know for the future.

treeleaf20

Would this idea work, do something like:

$password = $_POST['password'];
$password = md5($password);

And then inserted $password into the database would that be secure? Also would it be secure enough when the user posts the form to that page, wouldn't it be oepn to see until it gets to the page and gets encrypted?

If you just inserted $password into the db would you use something like VARCHAR as the field type or would you have to use something else?

Thanks for the continued help.

Drakla

If you're using md5 for the password then use CHAR(32) as the column type, not varchar. You can also let MySQL do the work for you like this

$query = "INSERT INTO mytable (username, password) VALUES ('$username', MD5('$password'))";

treeleaf20

Ok I got it to insert into the database good and encrypted with md5, now my problem is that when I enter the same password into the login.php field and do the same thing that I did on the register.php page, the code is below the encrypts it:

$password = $_POST['Password'];
$password = md5($password);

The login script that I have creates a different set of values and says I didn't enter the right username and password when I know I did, does anyone know how to fix this?

Thanks.

treeleaf20

I use shared SSL with my hosting server when I insert the new user and when I allow the user to login so I don't believe that is the problem, anyone have any ideas about this problem? Thanks