...

View Full Version : encrypting passwords...



Armondo
03-24-2007, 08:12 PM
i have been messing around with my little login/user system for a while now...and i have already done various security fixes such as email validation and password confirmation...but i recently realized that i need to encrypt the passwords the user sends in. i tried this:
$password = sha1(md5($password)); and it successfully encrypts it! but...er...i have no idea how to un-encrypt it when you login...the script is at: www.flashanims.com

here be me codes
sendit (sends the register data to the db):

<?
//replace username and password with your mysql name and password
$conn = mysql_connect("p41mysql5.secureserver.net","flashanims_db","allnumeric132");

//select the database
$db = mysql_select_db("flashanims_db");

$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];
$password2 = $_POST["password2"];
$email2 = $_POST["email2"];

function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}
if($email != $email2) {
print "your email addresses did not match, please go back and correct them";
exit;
}
if($password != $password2) {
print "your passwords did not match, please go back and correct them";
exit;
}
elseif($password == $password2) {
$password = sha1(md5($password));
}

if(check_email_address($email)) {
//insert the values
$result= MYSQL_QUERY("INSERT INTO users (id, username, password, email)".
"VALUES ('NULL', '$username', '$password', '$email')");
echo "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a></span>";
} else { echo"<span>oh noes...there was an error be sure to check your email address is valid!</span>"; }
?>


getin.php (login result):

<?php
$conn = mysql_connect("**","***","***");
$db = mysql_select_db("flashanims_db");

$username = $_POST["username"];
$password = $_POST["password"];
$password = sha1(md5($password));

$result = MYSQL_QUERY("SELECT * from users WHERE username='$username'and password='$password'")
or die ("Name and password not found or not matched");

$worked = mysql_fetch_array($result);

$user = $worked[username];
$password = $worked[password];
$email = $worked[email];

if($worked) {
echo "Welcome $user! Your e-mail address is $email! you are now logged in.";
$_SESSION["loggedin_user"] = $user;
$_SESSION["loggedin_user_email"] = $email;
$_SESSION["loggedin"] = "yes";
}
?>

GJay
03-24-2007, 08:26 PM
Hashes are, by definition, irreversible and consistent. This means that you can't unencrypt a password, but by performing the same steps on a given string, can tell whether it hashes to the same value, and so whether it is the same password.

You want to compare the password you have in the database to sha1(md5($X)), where $X is the user-supplied attempt at the password.

JohnDubya
03-25-2007, 01:30 AM
Are you sure you want to use both sha1 and md5 hashes? You can use just one if you want to.

And to validate if the password is correct or not, you don't have to unencrypt it. All you have to do is sha1 or md5 the password the user enters and match that against the hashed password that is in your database. If they don't match, don't log the user in.

Armondo
03-25-2007, 02:26 AM
oops, sorry for the late reply, i couldn't login and it made me wait so i went and did something else but then forgot all abou...er? well anyway i got it to work...instead of unencrypting it i just made it go to the same result! if the password was: 123 and the encrypted version was 112233 i just encrypted the user's login input...thus creating 112233. heh! but umm...i think the guy above me already thought of that =/. well thanks guys! i just need to go on to work on the user rank system...lol. this is going to be trouble.

JohnDubya
03-25-2007, 02:30 AM
If you need some help thinking through it, post away! :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum