08-09-2006, 04:52 AM
I would like to Encode Passwords but there is a problem, I dunno how to decode them:
I know how to use Password
but not how to decode password
I dont know encrypt and encode/decode functions
please tell me how to use them if you can, thanks :D
you should not use the password() function
--> this function is only intended to be used for hashing your mysql-accounts passwords
--> this function produces different digests in different mysql version so if you do use it for your own data, you can not update your db-version
--> password() is just like sha1() and md5() a hashing function, so it's one-way. You can not recover the original value from the functions digest...
i also don't understand you intended use --> what's the point in encoding a password? you should store the encrypted value of the password (using sha1() to encrypt it) in your db, and when the user then want to login, you encrypt the password that he used in the login form with sha1() and compare it to the stored one. like
$sql = "SELECT COUNT(*) FROM yourtable WHERE yourusernamecolumn='". $_POST['username'] ."' and yourencruptedpasswordcollumn='". sha1($_POST['pwd']) ."'";
i don't think you realy understand the use of password-hashing so it might be a good idea to searh this forum and the php forum for more info.
08-09-2006, 04:36 PM
Yeah but how do I encode the sha1 to uncode it
also how can I decode it while I write in the query?
08-09-2006, 04:52 PM
You need to read Raf's post again, because you missed the part about "You Can't Decode It."
Nor do you want to be able to decode it; it's called one-way encryption and that's why it's so secure. To compare a password your user enters you simply encode the input and compare the two strings.
a hash has 2 desirable properties:
1. it is one-way. That means that given a value, you can hash it, but getting the original from the hash is very diffiicult (not impossible, but certainly not something you could do during the login process!)
2. it is consistent. given a hash function f, f(a) will always produce the same result. Therefore, there are 'standard' hash functions that are used, md5 being one of them (sha1 another).
md5('hello') will always produce 5d41402abc4b2a76b9719d911017c592
So, when someone signs up, and decides they want their password to be 'hello', this gets hashed and stored in the database as the '5d41...' value above (truncated for readability...).
When they come to login, they will type 'hello' in the password box. Your code will then hash the password (using the same function) and compare it to the value in the database. If they are the same, then the user entered the correct password. If they don't match, the password they entered wasn't 'hello'.
The slight (ever so slight...) problem occurs when people forget their passwords, as there is no (practical) way of getting them back from the hash. The solution though, is simple: simply give them a new password, and send it to them. Send them an email with the new password, and hash it and store it in the database, and then they can login again, and (hopefully) change it to something they can remember.