Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
08-09-2006, 05:52 AM #1
I would like to Encode Passwords but there is a problem, I dunno how to decode them:
I know how to use Password
but not how to decode password
I dont know encrypt and encode/decode functions
please tell me how to use them if you can, thanks
08-09-2006, 08:53 AM #2
- Join Date
- Jul 2002
- Thanked 0 Times in 0 Posts
you should not use the password() function
--> this function is only intended to be used for hashing your mysql-accounts passwords
--> this function produces different digests in different mysql version so if you do use it for your own data, you can not update your db-version
--> password() is just like sha1() and md5() a hashing function, so it's one-way. You can not recover the original value from the functions digest...
i also don't understand you intended use --> what's the point in encoding a password? you should store the encrypted value of the password (using sha1() to encrypt it) in your db, and when the user then want to login, you encrypt the password that he used in the login form with sha1() and compare it to the stored one. like
$sql = "SELECT COUNT(*) FROM yourtable WHERE yourusernamecolumn='". $_POST['username'] ."' and yourencruptedpasswordcollumn='". sha1($_POST['pwd']) ."'";
Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html
08-09-2006, 05:36 PM #3
Yeah but how do I encode the sha1 to uncode it
also how can I decode it while I write in the query?
08-09-2006, 05:52 PM #4
- Join Date
- Dec 2005
- Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
- Thanked 637 Times in 625 Posts
You need to read Raf's post again, because you missed the part about "You Can't Decode It."
Nor do you want to be able to decode it; it's called one-way encryption and that's why it's so secure. To compare a password your user enters you simply encode the input and compare the two strings.
08-09-2006, 08:34 PM #5
- Join Date
- Sep 2005
- Thanked 36 Times in 35 Posts
a hash has 2 desirable properties:
1. it is one-way. That means that given a value, you can hash it, but getting the original from the hash is very diffiicult (not impossible, but certainly not something you could do during the login process!)
2. it is consistent. given a hash function f, f(a) will always produce the same result. Therefore, there are 'standard' hash functions that are used, md5 being one of them (sha1 another).
md5('hello') will always produce 5d41402abc4b2a76b9719d911017c592
So, when someone signs up, and decides they want their password to be 'hello', this gets hashed and stored in the database as the '5d41...' value above (truncated for readability...).
When they come to login, they will type 'hello' in the password box. Your code will then hash the password (using the same function) and compare it to the value in the database. If they are the same, then the user entered the correct password. If they don't match, the password they entered wasn't 'hello'.
The slight (ever so slight...) problem occurs when people forget their passwords, as there is no (practical) way of getting them back from the hash. The solution though, is simple: simply give them a new password, and send it to them. Send them an email with the new password, and hash it and store it in the database, and then they can login again, and (hopefully) change it to something they can remember.
08-09-2006, 09:06 PM #6
- Join Date
- Mar 2006
- St. Catharines, Ontario Canada
- Thanked 150 Times in 141 Posts
Nice explanation GJay.