Jump to content
xisto Community
alex1985

Sql Query Mistake?

Recommended Posts

Well, I just wanna ask you if it's good or appropriate way to encrypt the password. I checked the entry on PHPMyAdmin, and it does really encrypt the password. So, I can do that?!

Well I'm not quite sure if sha1() is an sql function but I may be wrong, but it is a php function. And yes sha1 is a good encryption to use for encrypting passwords. It is similar to md5 but the hash is longer.

Share this post


Link to post
Share on other sites

Well, I just wanna ask you if it's good or appropriate way to encrypt the password. I checked the entry on PHPMyAdmin, and it does really encrypt the password. So, I can do that?!

SHA1 is a good way to encrypt passwords at the moment. You would also be wise to 'salt' the passwords. This is a way to prevent against dictionary attacks. Many people are still stupid enough to pick a single dictionary word as a password. That is incredibly insecure, even if the password is hashed.

 

A good idea is to 'salt' the password. That simply means adding some random values to the end of the password, before hashing it and saving it in the database. To do this, when the password is created, also create some random data using the rand() function, or something similar. Put this random value on the end of the user's password, then hash it, then put it in the database. You also need to store the random data in the database!!!

 

Then, to check the password entered by a user, take their username, and pull the relevant piece of random data, along with the hash for their password from the database. Tag the stored random data onto the end of the password they entered, and hash that whole string. If that matches the one in the database then the password they entered is correct.

 

It can seem a little complicated at first, but it is much more secure than just hashing a user-entered password.

Share this post


Link to post
Share on other sites

A good idea is to 'salt' the password

Check the code that is posted above. It is using a salt value already.

INSERT INTO login (username,password,email,activated) value ('admin',sha1(concat('yourpasswordhere','0dAfghRqSTgx')),'youremailhere','1');


Share this post


Link to post
Share on other sites

Check the code that is posted above. It is using a salt value already.

INSERT INTO login (username,password,email,activated) value ('admin',sha1(concat('yourpasswordhere','0dAfghRqSTgx')),'youremailhere','1');


Personally I prefer a random salt rather than a fixed one. A fixed salt requires one edited dictionary file. Whereas a system with a different hash for each person requires an entirely separate dictionary, and corresponding hashes, for each user.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.