Insert encrypted password

Discussion in 'Programming/Scripts' started by qwood, Mar 9, 2010.

  1. qwood

    qwood Guest

    Deleted By Author
     
    Last edited by a moderator: Oct 22, 2011
  2. bernholdt

    bernholdt Member

    This should do the encryption as md5
    form
    php insert
     
  3. Ben

    Ben ISPConfig Developer ISPConfig Developer

    In general this code is bad practice...

    PHP:
    <?php
    mysql_query
    ("INSERT INTO table (Password) VALUES ('".md5('$_POST['Password']')."')");
    ?> 
    ... eventhough it works fine here without having the risk of sql injection as the unverified userinput ($_POST['Password']) is hashed before inserted.

    But the selection is missing in this insert statement, in this case the primary key to identify the user who want's to set the pw.

    If you are interested in verifying the pw strength (nr of chars, occurence of upper/lowercase letters, spechial chars, numbers...) on serverside I'd transport the pw cleartext from client to server.
    If it's ok for you, to do that on clientside via Javascript, I'd do the md5 (or better sha1 / sha256) hash sum on the client and just transport it to the server. Thus an attacker (MITM) won't see the pw on a clear text transportation (in case of no httpS use) and you only need to verify that returned string contains a specific length (eg. 32 chars with MD5) and numbers and letters (A-F), only.

    I'd also salt the hash instead of using the plain hash, to defend the pw in the database against rainbow table attacks.

    Keep in mind that hashing != encrypting, as a hash can not be "unhashed" (but it might be found in rainbow tables if not salted).
     
  4. qwood

    qwood Guest

    Deleted By Author
     
    Last edited by a moderator: Oct 22, 2011
  5. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Maybe this will help you then: http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html

    PHP:
    //DB Connection etc., maybe abstraction via pear::db (pear.php.net)
    //...

    $pw $_POST['password']

    //Verifyuserinput
    //... e.g. regex to check only valid characters

    //Escape string if you do not use prepared statements
    //http://de.php.net/manual/de/function.mysql-real-escape-string.php
    $pw mysql_real_escape_string($pw$dbconnectionhandle)

    //I assume $userID to be filled, verified and escaped, already!
    //and to be numerical
    if( false === mysql_query('UPDATE `yourtable` SET `password`=ENCRYPT('.$pw.') WHERE `youruserIDfield`='.$userID) ) {
       
    //Handle your mysql error here
    }

    //You are done...
     
  6. qwood

    qwood Guest

    Deleted By Author
     
    Last edited by a moderator: Oct 22, 2011
  7. adelaidelopez

    adelaidelopez New Member

    Hi

    I have worked on PHP and so i have noticed that there is a feature to encrypt a passowrd while inserting. If you have not used php-mysql then ignore the above and tell me if there is any function to encrypt the password while inserting it to the database using ASP.
     
  8. lopez

    lopez New Member

    MD5 encryption is a one-way hashing algorithm.md5 is supposed to be a one way encryption. The reason you use it, is so only the user knows their password, but you can still validate the password.How you validate it is to create an md5 hash of the password supplied by the user, and compare that with the md5 hash of the password in the database.
     
  9. Ben

    Ben ISPConfig Developer ISPConfig Developer

    If you mean any command in your SQL Statement than it is just a command that needs to be supported by your DMBS, e.g. mySQL, Postgres etc. so it does not matter which language you use.
    Anyhow I'd prefer doing this in the application itself because it makes it easier to implement appropriate salts for each hash and in case you access your DB via network (and not localhost) the standard traffic is unencrypted so your password is transferred in cleartext to your DB (eventhough you can encrypt the DB traffic, but this is not the "out of the box" setup).
     

Share This Page