I want to know how the see or get the real value of the password after I used the function md5 with it.
when I select the passwords from the database after using md5 the value became a characters like this "3049a1f0f1c808cdaa4fbed0" and this is it's object but how to get the real value?

I want to know how the see or get the real value of the password after I used the function md5 with it.
when I select the passwords from the database after using md5 the value became a characters like this "3049a1f0f1c808cdaa4fbed0" and this is it's object but how to get the real value?

no you cant, it is what it is.

md5 is a "one way" algorithm. If you want to store encrypted--yet still decryptable when the key is known--values, you need to use a different algorithm.

Use ENCODE/DECODE or DES_ENCRYPT/DES_DECRYPT instead.

Exactly. Usually, when you store something (like passwords) in MySQL as an MD5 or SHA1 hash, you would hash the comparison when checking the database.

For example, let's say you create a new user with this query...


$sql = "INSERT INTO users (username, password) VALUES('testuser',MD5('123123'))";


Then, in your login routine, you'd typically check the credentials this way...


$sql = "SELECT count(*) as total FROM users WHERE username='{$_POST['username']}' AND password = MD5('{$_POST['password']}')";


Basically, you use the same algorithm each time. MD5 will always be unique, and the same values will always hash to the same md5 hash. i.e. the md5 of "123123" will always be the same.

It's possible but would impractical. Like bcarl said, the md5 version of a string is always the same. So if you have a list of all the passwords of your users ina a database, then you can get the md5 and check it against the password list to find a match. Quite simple, this is how md5 encrypt/decrypt sites work, thats why they was you to encrypt words so they can get a big list in their database to make the odds of being able to "decrypt" easier.

Exactly. Usually, when you store something (like passwords) in MySQL as an MD5 or SHA1 hash, you would hash the comparison when checking the database.

For example, let's say you create a new user with this query...


$sql = "INSERT INTO users (username, password) VALUES('testuser',MD5('123123'))";


Then, in your login routine, you'd typically check the credentials this way...


$sql = "SELECT count(*) as total FROM users WHERE username='{$_POST['username']}' AND password = MD5('{$_POST['password']}')";


Basically, you use the same algorithm each time. MD5 will always be unique, and the same values will always hash to the same md5 hash. i.e. the md5 of "123123" will always be the same.

Thanks for your very good explain and now I understand what I should do about that problem,my target in getting the real value of the passwords is to send the user his password if he forgot it.
and now I see I can send him the hash value of the password and I'll edit the logging function to be able to accept it also.
are you see this is a pro way or I should do another way?

md5 is a "one way" algorithm. If you want to store encrypted--yet still decryptable when the key is known--values, you need to use a different algorithm.

Use ENCODE/DECODE or DES_ENCRYPT/DES_DECRYPT instead.

Thanks,but are those function is better that md5?

It's possible but would impractical. Like bcarl said, the md5 version of a string is always the same. So if you have a list of all the passwords of your users ina a database, then you can get the md5 and check it against the password list to find a match. Quite simple, this is how md5 encrypt/decrypt sites work, thats why they was you to encrypt words so they can get a big list in their database to make the odds of being able to "decrypt" easier.

you are right it's impractical,thank you any way.

Well, typically, if you store your password as an md5 hash, you're accepting the fact that is will never be retrievable. Usually, systems that store the passwords in an md5 hash will only offer a password "reset" as opposed to a password "retrieval".

For example, on many of my systems I develop, I store the passwords in an md5 hash. If the user "forgets" their password, I have them enter their username and email address. If I find a match, I generate a new random password, set that to be their password, and send them an email with the new password. The user can then login, and update their password as needed. But they never can "retrieve" their password, just get a new one.

Hope this helps.

For example, on many of my systems I develop, I store the passwords in an md5 hash. If the user "forgets" their password, I have them enter their username and email address. If I find a match, I generate a new random password, set that to be their password, and send them an email with the new password. The user can then login, and update their password as needed. But they never can "retrieve" their password, just get a new one.

Hope this helps.

Thanks and your way seems the way that many sites use,if you can tell me how you generate a random password I'll be able try it.
also my way that I told you is working well,I make the logging function accept the orginal password and the hash password also,so I can send the hash password to the user via email when he forget his password.

Here's a PHP function I wrote to generate random numbers and letters:


<?php
function generate_random($length = 8)
{
$string;
$new_str_pattern = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_";
for ($i = 0; $i < $length; $i++) {
$string .= $new_str_pattern{rand(0, 64)};
}

return $string;
}

//Usage:
echo generate_random(10);
?>

Thank you very much Zangeel for this help.

Ummm...that code is *WRONG*.

http://us2.php.net/manual/en/function.rand.php

It will generate random integers from 0 to 64, as the docs say. But there are no characters numbered *either* 63 or 64 *in* that string of characters. There are only 63 of them (26 + 26 + 10 + 1 ==>> 63) so the highest numbered character is 62, not 64. The 64 in there needs to be changed to 62.

As a minor improvement on that code...

I don't like to use "l" (lower case L) or "I" (upper case i) or "O" (upper case o) or "1" or "0" (digits one and zero) in randomly generated passwords...too easy to read them as the wrong thing.

So I usually do something like:

function generate_random($length = 8)
{
$string;
$chars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789_-@#";
for ($i = 0; $i < $length; $i++) {
$string .= $chars{rand(0, $strlen($chars)-1)};
}

return $string;
}

That is, I base the range of random numbers obtained on the length of the string. That means I can use any set of characters--including special characters and omitting problem characters--and it's self-adapting.

Thanks Old Pedant but I see my way is well and it's easy and I don't think it have problems.
I send the hash password that stored in the database to the user and he able to log by it.

Mido,
How are you verifying the username & password combination?
If you send the user the hashed PW, what do you do to verify that it is valid?

Normally, a user will enter their plain text PW in a form and hit submit.
The php page would then hash the PW and compare it against what is in the DB.

If you tell the user the hashed PW, wouldn't that break the login?

Also,
Here is a much faster random string generator I made, in case you need one.
/**
@speed
6.91413879395E-5
*/
function randomString( $length = 8, $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPRQSTUVWXYZ0123456789' ){
if( is_string( $chars ) )
$chars = str_split( $chars );
while( $length > count( $chars ) )// Double the $chars if $length is larger than $chars length.
$chars = array_merge( $chars, $chars );
shuffle( $chars );
return implode('', array_slice( $chars, 0, $length ) );
}

Here's a much shorter psedo random way to generate a new password...


$newpass = substr(md5(mktime()),0,8);


Pretty simple and easy to implement. Not 100% random, but good enough for most situations.

Mido,
How are you verifying the username & password combination?
If you send the user the hashed PW, what do you do to verify that it is valid?

Normally, a user will enter their plain text PW in a form and hit submit.
The php page would then hash the PW and compare it against what is in the DB.

If you tell the user the hashed PW, wouldn't that break the login?

Also,
Here is a much faster random string generator I made, in case you need one.
/**
@speed
6.91413879395E-5
*/
function randomString( $length = 8, $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPRQSTUVWXYZ0123456789' ){
if( is_string( $chars ) )
$chars = str_split( $chars );
while( $length > count( $chars ) )// Double the $chars if $length is larger than $chars length.
$chars = array_merge( $chars, $chars );
shuffle( $chars );
return implode('', array_slice( $chars, 0, $length ) );
}


I make the code could accept the both,I tried it and it work well without problems,and the user could enter his real password value or the hashed password.
here is the part of the sql query of it:

$sql="SELECT user_name FROM users WHERE user_name = '$logname' AND pass = md5('$logpass') OR pass = '$logpass'";

Here's a much shorter psedo random way to generate a new password...


$newpass = substr(md5(mktime()),0,8);


Pretty simple and easy to implement. Not 100% random, but good enough for most situations.


but are the value of this variable $newpass the user can log in by it directly?
or by another way or this value is who we send to the user via an email.

Riiiiiiiiiiight... I suppose I counted the characters wrong. :D