Encrypting Passwords

watson100

Hello,

Im having trouble trying to encrypt the password's that are being inserted into the database.

Here is my register process file -

<?php
require_once("db/connect.php"); 

session_start(); 

//Declare Variables

$Username = $_POST['username'];
$Email = $_POST['email'];
$Email1 = "@";
$Email_Check = strpos($Email,$Email1);
$Password = $_POST['password'];
$Re_Password = $_POST['re-password'];

//Check To See If All Information Is Correct

if($Username == "")
{
die("Opps! You don't enter a username!");
}

if($Password == "" || $Re_Password == "")
{
die("Opps! You didn't enter one of your passwords!");
}

if($Password != $Re_Password)
{
die("Ouch! Your passwords don't match! Try again.");
}

if($Email_Check === false)
{
die("Opps! That's not an email!");
}

//Insert Into Database

if(!mysql_query("INSERT INTO users (email, username, password)
VALUES ('$Email', '$Username', '$Password')"))
{
die("We could not register you due to a error (Contact the website owner if this continues to happen.)");
}else{
die("User Created");
}

?>

Now im not sure about how i would do it but i want to md5 encrypt the password that is being inserted in to database so if anyone can help me ill be very grateful for your help.

Derokorian

$Password = md5($_POST['password']); 
$Re_Password = md5($_POST['re-password']);

leave the rest as is... Also you should look at using filter_var to verify emails.

watson100

Thanks, it works now i just have to make the password decrypt in the login process form to allow the user to login so i may post the login process file in a min because i can see myself having problem with that but thanks for your help.

Derokorian

You can't decrypt it generally, however you can md5 the password they submit and compare the encrypted strings to see if they match.

watson100

Yeah thats what i mean but i though decrypt would shorten my paragraph

watson100

Right ive tried a few way and haven't had much success, this is my login process file -

<?php 
require_once("db/connect.php"); 

session_start(); 

//Field Data 
if (isset($_POST['username'], $_POST['password'], $_POST['Submit'])){ 
    $username    =    $_POST['username']; 
    $password    =    md5($_POST['password']); 
    $submitted   =    $_POST['Submit']; 

if ($username && $password){ 
    ////////////////////////////////////////////////// 
    $query        = sprintf("SELECT * FROM users WHERE username='$username' AND password='$password'");
    $result       = @mysql_query($query); 
    $rowAccount   = @mysql_fetch_array($result); 
    ////////////////////////////////////////////////// 
    if ($rowAccount){ 
        $_SESSION['id'] = $rowAccount['username']; 
        header("Location:user_area/"); 
        exit; 
    } else { 
        echo "You have entered the wrong username or password"; 
    } 
} 
else 
{ 
    echo "You have not filled in all the fields";
} 
} 
?>

Thats my attempt and as im sure you can see ive attempted this -

$password    =    md5($_POST['password']);

Unfortunately that does not work so if anyone can help i will also once again be very grateful.

Derokorian

$query = sprintf("SELECT * FROM users WHERE username='$username' AND password='$password'");

If you're going to use sprintf (as you should) you should do so in this fasion


    $query        = sprintf("SELECT * FROM users WHERE username='&#37;s' AND password='%s'",$username,$password);

Also remove the error surpressors (the @ in front of query and fetch_array) and add error_reporting(E_ALL) to the top of your page so you can see any errors, warnings and notices thrown during the execution.

watson100

Ah thanks, also do you know how i could make the password that the user enters md5 so the password in the database matches the password the user has given in the login form?

Derokorian

It should already be doing that. I don't see any reason why it wouldn't be working.

watson100

Shall i post both, login process file and register process file

watson100

Here is my login process file -

<?php 
require_once("db/connect.php"); 

session_start(); 

//Field Data 
if (isset($_POST['username'], $_POST['password'], $_POST['Submit'])){ 
    $username    =    $_POST['username']; 
    $password    =    md5($_POST['password']); 
    $submitted   =    $_POST['Submit']; 

if ($username && $password){ 
    ////////////////////////////////////////////////// 
    $query        = sprintf("SELECT * FROM users WHERE username='%s' AND password='%s'",$username,$password);
    $result       = mysql_query($query); 
    $rowAccount   = mysql_fetch_array($result); 
    ////////////////////////////////////////////////// 
    if ($rowAccount){ 
        $_SESSION['id'] = $rowAccount['username']; 
        header("Location:user_area/"); 
        exit; 
    } else { 
        echo "You have entered the wrong username or password"; 
    } 
} 
else 
{ 
    echo "You have not filled in all the fields";
} 
} 
?>

And now here is my register process file -

<?php
require_once("db/connect.php"); 

session_start(); 

//Declare Variables

$Username = $_POST['username'];
$Email = $_POST['email'];
$Email1 = "@";
$Email_Check = strpos($Email,$Email1);
$Password = md5($_POST['password']); 
$Re_Password = md5($_POST['re-password']);

//Check To See If All Information Is Correct

if($Username == "")
{
die("Opps! You don't enter a username!");
}

if($Password == "" || $Re_Password == "")
{
die("Opps! You didn't enter one of your passwords!");
}

if($Password != $Re_Password)
{
die("Ouch! Your passwords don't match! Try again.");
}

if($Email_Check === false)
{
die("Opps! That's not an email!");
}

//Insert Into Database

if(!mysql_query("INSERT INTO users (email, username, password)
VALUES ('$Email', '$Username', '$Password')"))
{
die("We could not register you due to a error (Contact the website owner if this continues to happen.)");
}else{
die("User Created");
}

?>

Now when a user registers the password becomes encrypted in the database but then when a user goes to login through login process file the users password does not become encrypted so it does match the password in the database so if shows the message -

You have entered the wrong username or password

echo "You have entered the wrong username or password";

How would i get it so the password that the user has entered in the login form becomes encrypted so it matches the password in the database so the user can login.

Derokorian

Try echoing the $query when it says wrong username or password (just for debugging purposes) to see if its a problem with not encrypting or not building the proper query.

watson100

When echoing the $query

 echo $query;

i get this message -

SELECT * FROM users WHERE username='bob' AND password='1ed888b9af43983a3b6adc74d3479a21'

watson100

Oh i think i know, there is a character limit in the database which is not allowing the full encrypted work

Derokorian

See? the password was encrypting... Glad you found the problem.

watson100

Lol, thanks for your help

laserlight

On the topic of password storage: besides using a cryptographic hash algorithm like MD5, also use a user specific salt. Furthermore, if you are concerned that the [man]hash[/man] extension, or an algorithm that you want to use with hash, would not be available, use [man]sha1/man instead of md5().

Keepanitreel

To add just a bit more security I suggest seading your md5 hash md5( 'prefix salt' . $password.'post salt')

PaPPy

I was just stay away from md5 in general. with the power of gpu, and rainbow tables, look for something better. like sha