[RESOLVED] How do I md5 this?

Wales

I have a password and confirm password. How do I md5 it?
I tried the following but it doesn't work. Is there a way to add the trim and md5 with one variable?

$password = trim ($_POST['password']);
$password = md5 ($password);
$confirmpassword = trim ($_POST['confirmpassword']);
$confirmpassword = md5 ($confirmpassword);

NogDog

Can you define, "doesn't work"?

Wales

When I look at my database it's not encrpyted

NogDog

How are you putting it into the DB? Are you sure you are using the correct variable name in the query string?

Weedpacket

Do you need to md5() the confirmed password? Wouldn't the usual process be to compare the plaintext password with the confirmation, and if they match, then hash the password for storage?

rsmith

Try this:

$password = mysql_real_escape_string(trim(sha1($_POST['password'])));
$confirmpassword = mysql_real_escape_string(trim(sha1($_POST['confirmpassword'])));

if($confirmpassword != $password){
     echo "Sorry, your passwords did not match. Try again.";
}else{
     $query = "INSERT INTO `users` SET `password`= '".$password."'";
     $result = mysql_query($query);

 if($!result){
      echo "There was an error updating the database<br />Error: ".mysql_error();
 }
}

Note I used sha1(). It's more reliable and better encryption than md5(). Also note that you need to update your MySQL query to user your table structure etc.

laserlight

Try this:

Actually, I would argue that what Weedpacket suggested makes more sense: there is no need to calculate a hash if the passwords do not even match, so one should check first, then hash if they match. Not only that, but using trim() and mysql_real_escape_string on a hexadecimal numeric string as produced by sha1() is pointless. We do not even know if mysql_real_escape_string() is the correct function since the database API used is not known.

Note I used sha1(). It's more reliable and better encryption than md5().

It is not encryption, it is a cryptographic hash. Whether it is better than MD5 for such password hashing is disputed by the folks at phpBB, but either way a hash alone is just not enough. At the very least one should include a salt for each user.

rsmith

Originally I had the hash put into the if statment so I guess I should've left it there.

$password = mysql_real_escape_string(trim($_POST['password']));
$confirmpassword = mysql_real_escape_string(trim($_POST['confirmpassword']));

if($confirmpassword != $password){
     echo "Sorry, your passwords did not match. Try again.";
}else{
     $password = sha1($password);
     $query = "INSERT INTO `users` SET `password`= '".$password."'";
     $result = mysql_query($query);

 if($!result){
      echo "There was an error updating the database<br />Error: ".mysql_error();
 }
}

laserlight

Assuming the incoming variables exist, this is enough:

$password = trim($_POST['password']);
$confirmpassword = trim($_POST['confirmpassword']);

if($confirmpassword != $password){
     echo "Sorry, your passwords did not match. Try again.";
}else{
     $password = sha1($password);
     $query = "INSERT INTO `users` SET `password`= '".$password."'";
     $result = mysql_query($query);

 if($!result){
      echo "There was an error updating the database<br />Error: ".mysql_error();
 }
}

Whether trim() should be applied or not is debatable: I never use passwords with whitespace prepended/appended, but perhaps some people do it on purpose. It is also good to check for a minimum password length.

Wales

Thanks