 [PHP + MySQL] Encrypting Data, To protect the password of your DB, for example. |
|
|
|
|
  |
 Feb 16 2006, 12:08 AM
Post
#1
|
|
|
Newbie [ Level 2 ]  Group: Members Posts: 24 Joined: 22-January 06 Member No.: 10,833  |
Hi! This is my 2nd code of PHP + MySQL.
This code is VERY simple: it encript the data in the MySQL DB. Here we go! ------------------------------------------------------------------------ CODE <?php $password = "abc"; $new_password = md5($password); echo $new_password; ?> The password "abc" was codfied using md5() This will be: 900150983cd24fb0d6963f7d28e17f72 CODE <?php $normal_pass = "abc"; $encripted_pass = "900150983cd24fb0d6963f7d28e17f72"; if(md5($normal_pass) == $encripted_pass) echo "Login Sucessful!"; else echo "Incorrect password."; ?> This check if the password in the var is the "same" as the password in the DB |
 |
 
|
|
Feb 16 2006, 03:47 PM
Post
#2
|
|
|
Way Out Of Control - You need a life :)  Group: [MODERATOR] Posts: 2,045 Joined: 16-August 05 Member No.: 7,896 |
Very nice.
Very useful, because doing that way you store in the database only enkripted passwords. So, people reading your database will not be able to retrieve the password. I only wonder about something. md5 is a stand way of enkrypting. Is there a reverse method, able to retrieve "abc" from md5(abc) ? Regards Yordan |
|
|
|
|
Feb 16 2006, 05:41 PM
Post
#3
|
|
|
Super Member Group: Members Posts: 572 Joined: 25-April 05 From: Nashville Tennessee Member No.: 4,340 |
No, that is why it is encrypted in the first place, md5 encryption produces a 32 bit hash of the string referred to as a variable, but there is no reverse at least in PHP functions, if there were then all encrypted data would be useless. If you visit some sites that use md5 and you lose your password they can only issue another password due to the fact that md5 is irreversable, you could of course send them their md5 hash but it has to match with the password that it origionally encrypted and I doubt they would be happy with a new password of 1f3870be274f6c49b3e31a0c6728957f which is the md5 encrytion of 'apple'
Would you like it if a webmaster or other admin of a site had your password, even if he cared about it, or would you feel more comfortable knowing that your password were encrypted and very difficult to match even using brute force? |
|
|
|
|
Feb 16 2006, 08:47 PM
Post
#4
|
|
|
Way Out Of Control - You need a life :) Group: [MODERATOR] Posts: 2,045 Joined: 16-August 05 Member No.: 7,896 |
QUOTE Would you like it if a webmaster or other admin of a site had your password, even if he cared about it, or would you feel more comfortable knowing that your password were encrypted and very difficult to match even using brute force? Noway, I'm familiar with the fact that the system admin simply resets passwords. And the database admin don't need user's passwords, he can directly read the data from your tables so he does not need to know your password. I was just curious about the way to do that, I never did it by myself. I usually work with oracle, and i simply give a user a password, ask the user to change his password, and then reset the password because the user lost it. |
|
|
|
|
Jun 27 2008, 07:54 AM
Post
#5
|
|
|
Newbie [ Level 1 ] Group: Members Posts: 0 Joined: 1-November 07 Member No.: 25,869 |
MD5 Encription
[PHP + MySQL] Encrypting Data Replying to Houdini This Encription is not safe Because You can easly Find The Decripted data within a single search Md5 decription e358efa489f58062f10dd7316b65649e Search the above word in google you will get the decripted data. So Use some simple Private encription For Better Security -reply by ManuMadanan -----admin opinion----- spam. |
|
|
|
|
Jun 28 2008, 11:05 AM
Post
#6
|
|
|
Way Out Of Control - You need a life :)  Group: [HOSTED] Posts: 1,049 Joined: 2-August 05 From: Kapellen (Antwerp, Belgium) Member No.: 7,585 |
QUOTE(FeedBacker @ Jun 27 2008, 09:54 AM)  MD5 Encription [PHP + MySQL] Encrypting Data <a href=http://www.astahost.com/index.php?showtopic=10614&view=findpost&p=70147>Replying to Houdini</a> This Encription is not safe Because You can easly Find The Decripted data within a single search Md5 decription e358efa489f58062f10dd7316b65649e Search the above word in google you will get the decripted data. So Use some simple Private encription For Better Security -reply by ManuMadanan -----admin opinion----- spam. That's exactly why your passwords should be more complex and not as simple as 't' ... Find these ones for me will you: 9571f61c4138bb26c46baceda4b750c8 f2de268dc779a73c6de9e25d61a4da1f f8b3685e8f0ca7ef4c00d599866d65dc 18191ad14376f315b9403a108dd745d4 |
|
|
|
|
Jul 17 2008, 02:39 PM
Post
#7
|
|
|
Newbie [ Level 2 ] Group: Members Posts: 12 Joined: 17-July 08 Member No.: 31,506 |
sweet
|
|
|
|
|
Jul 17 2008, 10:37 PM
Post
#8
|
|
|
Way Out Of Control - You need a life :) Group: [MODERATOR] Posts: 2,045 Joined: 16-August 05 Member No.: 7,896 |
QUOTE Md5 decription e358efa489f58062f10dd7316b65649e Search the above word in google you will get the decripted data. You know what ? I did this google search. And the answer was : this topic ! |
|
|
|
|
Jul 18 2008, 06:45 AM
Post
#9
|
|
|
the Q Group: [HOSTED] Posts: 1,054 Joined: 13-July 05 From: Lithuania, Vilnius Member No.: 7,059 |
When using just simple md5() isn't very safe these days, thats way it's much better to do a random seed and generate random strings with md5 or something, which will always be the same to look, for example I have a function like this somewhere in my scripts which is a much better way to check the password and encrypt it, normally there is no way to decrypt unless you're a tough hacker or something..
It's really quite a complex thing, but when you understand that it does when you think, wow how this is simple an brilliant  CODE function pw_hash($pass) { /** PW HASH() Notice! **/ // * $pass check isn't required, this // * function should only be called from: // * pw_encode(); && pw_check(); // Split password for every letter $pass = str_split($pass); $salt = ''; // Hash every letter of the password foreach ($pass as $letter) { $salt .= bin2hex(md5($letter, true)); # for PHP4 -> md5($letter); } // Return the Hash of the word return bin2hex(md5($salt, true)); # for PHP4 -> md5($salt); } function pw_encode($pass) { // Check Input if (is_string($pass) && !empty($pass)) { // Hash the password for every letter $pass = pw_hash($pass); $seed = ''; // Make a Random Seed for ($i = 0; $i < 8; $i++) { $seed .= substr('0123456789abcdef', mt_rand(0,15), 1); } return bin2hex(md5($seed.$pass, true)).$seed; // for PHP4 -> md5($seed.$pass).$seed; } else { user_error('pw_encode() The input should be non empty string', E_USER_WARNING); return false; } } function pw_check($pass, $value) { // Check Input if (is_string($pass) && is_string($value) && !empty($pass) && !empty($value)) { // Hash the password for every letter $pass = pw_hash($pass); // Get the Seed $seed = substr($value, 32, 8); // Check the Passwords if (bin2hex(md5($seed.$pass, true)).$seed == $value) { # for PHP4 -> md5($seed.$pass).$seed == $value return true; } else { return false; } } else { user_error('pw_check() The both input values should be non empty strings', E_USER_WARNING); return false; } } To tell it shortly, it hashes every word and letter and hashes all those hashes into one string, I use a little bit other technique on my CMS, so I won't tell it publicly, because you can change something a little by changing some numbers and you'll get quite different results, those who knows PHP will know what it does, there are even some comments to understand its functionality.. To use them, you can do just as top post, by using some if statement and calling the functions like this: CODE if (pw_check($_POST['password'], $db_password) && $_POST['username'] == $db_username) { .. do something here .. } else { echo "wrong password or username in the login form or something liek that";} If you want to encrypt the password or store it to the database, you can just do it by using the other function: CODE $string = $_POST['password']; $encoded_string = pw_encode($string); You'll see that every time you get quite different random hashed string, but the meaning is the same, when you check it with the check function, it returns true all times if the words meant the same.. To continue. why using only md5() isn't safe, because there are software for hackers which have most popular dictionaries hashed with md5() for all the words on different languages and most popular symbol and numbers with letters and they take up several GB or a TB and they use it to check check with a loop, of course to prevent that you can just do a check by logging how much he tries to login or only let your php script login everyone in a timestamp of half second or do a sleep function for everyone for a second, there are much ways you can avoid this, even if the hacker has a lot of ips to use.. 
|
|
|
|
|
Jul 19 2008, 11:28 PM
Post
#10
|
|
|
Premium Member Group: [HOSTED] Posts: 377 Joined: 17-June 06 From: Adblock life Member No.: 13,992 |
QUOTE That's exactly why your passwords should be more complex and not as simple as 't' ... Find these ones for me will you: 9571f61c4138bb26c46baceda4b750c8 f2de268dc779a73c6de9e25d61a4da1f f8b3685e8f0ca7ef4c00d599866d65dc 18191ad14376f315b9403a108dd745d4 QUOTE(php.net) string hash ( string $algo , string $data [, bool $raw_output ] ) The $algo can be any from a long list of hash functions, including but not limited to 'sha256' (which I think is the new government standard after sha1 was kicked out of use due to it being cracked), ripemd160, whirlpool etc. Php also provides a full list of its supported hash functions with the function hash_algos (http://us2.php.net/manual/en/function.hash-algos.php). The list looks something like this: QUOTE Array ( [0]=> md4 [1] => md5 [2] => sha1 [3] => sha256 [4] => sha384 [5] => sha512 [6] => ripemd128 [7] => ripemd160 [8] => whirlpool [9] => tiger128,3 [10] => tiger160,3 [11] => tiger192,3 [12] => tiger128,4 [13] => tiger160,4 [14] => tiger192,4 [15] => snefru [16] => gost [17] => adler32 [18] => crc32 [19] => crc32b [20] => haval128,3 [21] => haval160,3 [22] => haval192,3 [23] => haval224,3 [24] => haval256,3 [25] => haval128,4 [26] => haval160,4 [27] => haval192,4 [28] => haval224,4 [29] => haval256,4 [30] => haval128,5 [31] => haval160,5 [32] => haval192,5 [33] => haval224,5 [34] => haval256,5 ) So, yes, with php 5, there are quite a variety of hash functions to choose from, including extremely secure (currently un-cracked) ones. However, if you're stuck with php 4, there's always the sha1 function, which is still quite a ways better than md5 for mid-level security things. |
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 14th October 2008 - 09:43 AM |