Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts

    encrypting passwords...

    i have been messing around with my little login/user system for a while now...and i have already done various security fixes such as email validation and password confirmation...but i recently realized that i need to encrypt the passwords the user sends in. i tried this:
    PHP Code:
    $password sha1(md5($password)); 
    and it successfully encrypts it! but...er...i have no idea how to un-encrypt it when you login...the script is at: www.flashanims.com

    here be me codes

    sendit (sends the register data to the db):
    PHP Code:
                <?
                
    //replace username and password with your mysql name and password
                
    $conn mysql_connect("p41mysql5.secureserver.net","flashanims_db","allnumeric132");
                
                
    //select the database
                
    $db mysql_select_db("flashanims_db");
                
                
    $username $_POST["username"];
                
    $password $_POST["password"];
                
    $email $_POST["email"];
                
    $password2 $_POST["password2"];
                
    $email2 $_POST["email2"];
                
                function 
    check_email_address($email) {
                
    // First, we check that there's one @ symbol, and that the lengths are right
                
    if (!ereg("^[^@]{1,64}@[^@]{1,255}$"$email)) {
                
    // Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
                
    return false;
                }
                
    // Split it into sections to make life easier
                
    $email_array explode("@"$email);
                
    $local_array explode("."$email_array[0]);
                for (
    $i 0$i sizeof($local_array); $i++) {
                if (!
    ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$"$local_array[$i])) {
                return 
    false;
                }
                }
                if (!
    ereg("^\[?[0-9\.]+\]?$"$email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
                
    $domain_array explode("."$email_array[1]);
                if (
    sizeof($domain_array) < 2) {
                return 
    false// Not enough parts to domain
                
    }
                for (
    $i 0$i sizeof($domain_array); $i++) {
                if (!
    ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$"$domain_array[$i])) {
                return 
    false;
                }
                }
                }
                return 
    true;
                }
                if(
    $email != $email2) {
                print 
    "your email addresses did not match, please go back and correct them";
                exit;
                }
                if(
    $password != $password2) {
                print 
    "your passwords did not match, please go back and correct them";
                exit;
                }
                elseif(
    $password == $password2) {
                
    $password sha1(md5($password));
                }
                            
                if(
    check_email_address($email)) {
                
    //insert the values
                
    $resultMYSQL_QUERY("INSERT INTO users (id, username, password, email)".
                   
    "VALUES ('NULL', '$username', '$password', '$email')");
                echo 
    "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a></span>";
                } else { echo
    "<span>oh noes...there was an error be sure to check your email address is valid!</span>"; }
                
    ?>
    getin.php (login result):
    PHP Code:
                <?php
                    $conn 
    mysql_connect("**","***","***");
                    
    $db mysql_select_db("flashanims_db");
                    
                    
    $username $_POST["username"];
                    
    $password $_POST["password"];
                    
    $password sha1(md5($password));
                    
                    
    $result MYSQL_QUERY("SELECT * from users WHERE username='$username'and password='$password'")
                       or die (
    "Name and password not found or not matched");
                    
                    
    $worked mysql_fetch_array($result);
                    
                    
    $user $worked[username];
                    
    $password $worked[password];
                    
    $email $worked[email];
                    
                    if(
    $worked) {
                        echo 
    "Welcome $user! Your e-mail address is $email! you are now logged in."
                        
    $_SESSION["loggedin_user"] = $user;
                        
    $_SESSION["loggedin_user_email"] = $email;
                        
    $_SESSION["loggedin"] = "yes";
                    }
                
    ?>
    ..
    ▲ ▲

  • #2
    Senior Coder
    Join Date
    Sep 2005
    Posts
    1,791
    Thanks
    5
    Thanked 36 Times in 35 Posts
    Hashes are, by definition, irreversible and consistent. This means that you can't unencrypt a password, but by performing the same steps on a given string, can tell whether it hashes to the same value, and so whether it is the same password.

    You want to compare the password you have in the database to sha1(md5($X)), where $X is the user-supplied attempt at the password.
    My thoughts on some things: http://codemeetsmusic.com
    And my scrapbook of cool things: http://gjones.tumblr.com

  • #3
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    Are you sure you want to use both sha1 and md5 hashes? You can use just one if you want to.

    And to validate if the password is correct or not, you don't have to unencrypt it. All you have to do is sha1 or md5 the password the user enters and match that against the hashed password that is in your database. If they don't match, don't log the user in.

  • #4
    Regular Coder Armondo's Avatar
    Join Date
    Feb 2007
    Posts
    144
    Thanks
    3
    Thanked 0 Times in 0 Posts
    oops, sorry for the late reply, i couldn't login and it made me wait so i went and did something else but then forgot all abou...er? well anyway i got it to work...instead of unencrypting it i just made it go to the same result! if the password was: 123 and the encrypted version was 112233 i just encrypted the user's login input...thus creating 112233. heh! but umm...i think the guy above me already thought of that =/. well thanks guys! i just need to go on to work on the user rank system...lol. this is going to be trouble.
    ..
    ▲ ▲

  • #5
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    If you need some help thinking through it, post away!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •