#1  
Old 9th March 2010, 03:59
qwood
Guest
 
Posts: n/a
Default Insert encrypted password

Deleted By Author

Last edited by qwood; 22nd October 2011 at 04:14.
Reply With Quote
Sponsored Links
  #2  
Old 9th March 2010, 11:19
bernholdt bernholdt is offline
Senior Member
 
Join Date: Jun 2007
Posts: 156
Thanks: 47
Thanked 13 Times in 11 Posts
Default

This should do the encryption as md5
form
Quote:
<form action="insert.php method="POST" />
password : <input type="password" name="Password" />
</form>
php insert
Quote:
<?php
mysql_query("INSERT INTO table (Password) VALUES ('".md5('$_POST['Password']')."')");
?>
Reply With Quote
  #3  
Old 9th March 2010, 15:22
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

In general this code is bad practice...

PHP Code:
<?php
mysql_query
("INSERT INTO table (Password) VALUES ('".md5('$_POST['Password']')."')");
?>
... eventhough it works fine here without having the risk of sql injection as the unverified userinput ($_POST['Password']) is hashed before inserted.

But the selection is missing in this insert statement, in this case the primary key to identify the user who want's to set the pw.

If you are interested in verifying the pw strength (nr of chars, occurence of upper/lowercase letters, spechial chars, numbers...) on serverside I'd transport the pw cleartext from client to server.
If it's ok for you, to do that on clientside via Javascript, I'd do the md5 (or better sha1 / sha256) hash sum on the client and just transport it to the server. Thus an attacker (MITM) won't see the pw on a clear text transportation (in case of no httpS use) and you only need to verify that returned string contains a specific length (eg. 32 chars with MD5) and numbers and letters (A-F), only.

I'd also salt the hash instead of using the plain hash, to defend the pw in the database against rainbow table attacks.

Keep in mind that hashing != encrypting, as a hash can not be "unhashed" (but it might be found in rainbow tables if not salted).
Reply With Quote
  #4  
Old 12th March 2010, 02:34
qwood
Guest
 
Posts: n/a
Default

Deleted By Author

Last edited by qwood; 22nd October 2011 at 04:14.
Reply With Quote
  #5  
Old 12th March 2010, 10:58
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Maybe this will help you then: http://dev.mysql.com/doc/refman/5.1/...functions.html

PHP Code:
//DB Connection etc., maybe abstraction via pear::db (pear.php.net)
//...

$pw $_POST['password']

//Verifyuserinput
//... e.g. regex to check only valid characters

//Escape string if you do not use prepared statements
//http://de.php.net/manual/de/function.mysql-real-escape-string.php
$pw mysql_real_escape_string($pw$dbconnectionhandle)

//I assume $userID to be filled, verified and escaped, already!
//and to be numerical
if( false === mysql_query('UPDATE `yourtable` SET `password`=ENCRYPT('.$pw.') WHERE `youruserIDfield`='.$userID) ) {
   
//Handle your mysql error here
}

//You are done... 
Reply With Quote
  #6  
Old 12th March 2010, 18:34
qwood
Guest
 
Posts: n/a
Default

Deleted By Author

Last edited by qwood; 22nd October 2011 at 04:14.
Reply With Quote
  #7  
Old 15th March 2010, 11:43
adelaidelopez adelaidelopez is offline
Junior Member
 
Join Date: Mar 2010
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Hi

I have worked on PHP and so i have noticed that there is a feature to encrypt a passowrd while inserting. If you have not used php-mysql then ignore the above and tell me if there is any function to encrypt the password while inserting it to the database using ASP.
__________________
Web design preston
Reply With Quote
  #8  
Old 3rd May 2010, 15:22
lopez lopez is offline
Junior Member
 
Join Date: May 2010
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

MD5 encryption is a one-way hashing algorithm.md5 is supposed to be a one way encryption. The reason you use it, is so only the user knows their password, but you can still validate the password.How you validate it is to create an md5 hash of the password supplied by the user, and compare that with the md5 hash of the password in the database.
__________________
iedge card
Reply With Quote
  #9  
Old 3rd May 2010, 22:20
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
 
Default

Quote:
Originally Posted by adelaidelopez View Post
I have worked on PHP and so i have noticed that there is a feature to encrypt a passowrd while inserting. If you have not used php-mysql then ignore the above and tell me if there is any function to encrypt the password while inserting it to the database using ASP.
If you mean any command in your SQL Statement than it is just a command that needs to be supported by your DMBS, e.g. mySQL, Postgres etc. so it does not matter which language you use.
Anyhow I'd prefer doing this in the application itself because it makes it easier to implement appropriate salts for each hash and in case you access your DB via network (and not localhost) the standard traffic is unencrypted so your password is transferred in cleartext to your DB (eventhough you can encrypt the DB traffic, but this is not the "out of the box" setup).
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix: "unknown user" with mysql auth. Kruser Server Operation 3 18th June 2009 19:20
where are the error logs for ISPConfig? claudioimai Installation/Configuration 13 25th November 2008 12:21
Samba LDAP, Webmin User password mperreault Server Operation 0 26th August 2008 15:34
Password bug NIXin General 8 8th May 2008 16:08
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 23:40


All times are GMT +2. The time now is 23:46.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.