Insert encrypted password

Deleted By Author

[bernholdt]

This should do the encryption as md5
form

Quote:

<form action="insert.php method="POST" />
password : <input type="password" name="Password" />
</form>

php insert

Quote:

<?php
mysql_query("INSERT INTO table (Password) VALUES ('".md5('$_POST['Password']')."')");
?>

[Ben]

In general this code is bad practice...

PHP Code:

<?php
mysql_query("INSERT INTO table (Password) VALUES ('".md5('$_POST['Password']')."')");
?>

... eventhough it works fine here without having the risk of sql injection as the unverified userinput ($_POST['Password']) is hashed before inserted.

But the selection is missing in this insert statement, in this case the primary key to identify the user who want's to set the pw.

If you are interested in verifying the pw strength (nr of chars, occurence of upper/lowercase letters, spechial chars, numbers...) on serverside I'd transport the pw cleartext from client to server.
If it's ok for you, to do that on clientside via Javascript, I'd do the md5 (or better sha1 / sha256) hash sum on the client and just transport it to the server. Thus an attacker (MITM) won't see the pw on a clear text transportation (in case of no httpS use) and you only need to verify that returned string contains a specific length (eg. 32 chars with MD5) and numbers and letters (A-F), only.

I'd also salt the hash instead of using the plain hash, to defend the pw in the database against rainbow table attacks.

Keep in mind that hashing != encrypting, as a hash can not be "unhashed" (but it might be found in rainbow tables if not salted).

Deleted By Author

[Ben]

Maybe this will help you then: http://dev.mysql.com/doc/refman/5.1/...functions.html

PHP Code:

//DB Connection etc., maybe abstraction via pear::db (pear.php.net)
//...

$pw = $_POST['password']

//Verifyuserinput
//... e.g. regex to check only valid characters

//Escape string if you do not use prepared statements
//http://de.php.net/manual/de/function.mysql-real-escape-string.php
$pw = mysql_real_escape_string($pw, $dbconnectionhandle)

//I assume $userID to be filled, verified and escaped, already!
//and to be numerical
if( false === mysql_query('UPDATE `yourtable` SET `password`=ENCRYPT('.$pw.') WHERE `youruserIDfield`='.$userID) ) {
   //Handle your mysql error here
}

//You are done... 


Deleted By Author

[adelaidelopez]

I have worked on PHP and so i have noticed that there is a feature to encrypt a passowrd while inserting. If you have not used php-mysql then ignore the above and tell me if there is any function to encrypt the password while inserting it to the database using ASP.

[lopez]

MD5 encryption is a one-way hashing algorithm.md5 is supposed to be a one way encryption. The reason you use it, is so only the user knows their password, but you can still validate the password.How you validate it is to create an md5 hash of the password supplied by the user, and compare that with the md5 hash of the password in the database.

[Ben]

Quote:

Originally Posted by adelaidelopez

I have worked on PHP and so i have noticed that there is a feature to encrypt a passowrd while inserting. If you have not used php-mysql then ignore the above and tell me if there is any function to encrypt the password while inserting it to the database using ASP.

If you mean any command in your SQL Statement than it is just a command that needs to be supported by your DMBS, e.g. mySQL, Postgres etc. so it does not matter which language you use.
Anyhow I'd prefer doing this in the application itself because it makes it easier to implement appropriate salts for each hash and in case you access your DB via network (and not localhost) the standard traffic is unencrypted so your password is transferred in cleartext to your DB (eventhough you can encrypt the DB traffic, but this is not the "out of the box" setup).