[PHP + MySQL] Encrypting Data To protect the password of your DB, for example.

Hi! This is my 2nd code of PHP + MySQL.
This code is VERY simple: it encript the data in the MySQL DB. Here we go!
------------------------------------------------------------------------

<?php $password = "abc"; $new_password = md5($password); echo $new_password; ?>

The password "abc" was codfied using md5()
This will be: 900150983cd24fb0d6963f7d28e17f72

<?php $normal_pass = "abc"; $encripted_pass = "900150983cd24fb0d6963f7d28e17f72"; if(md5($normal_pass) == $encripted_pass)   echo "Login Sucessful!"; else   echo "Incorrect password."; ?>

This check if the password in the var is the "same" as the password in the DB

Very nice.Very useful, because doing that way you store in the database only enkripted passwords. So, people reading your database will not be able to retrieve the password.I only wonder about something. md5 is a stand way of enkrypting. Is there a reverse method, able to retrieve "abc" from md5(abc) ?RegardsYordan

No, that is why it is encrypted in the first place, md5 encryption produces a 32 bit hash of the string referred to as a variable, but there is no reverse at least in PHP functions, if there were then all encrypted data would be useless. If you visit some sites that use md5 and you lose your password they can only issue another password due to the fact that md5 is irreversable, you could of course send them their md5 hash but it has to match with the password that it origionally encrypted and I doubt they would be happy with a new password of 1f3870be274f6c49b3e31a0c6728957f which is the md5 encrytion of 'apple'Would you like it if a webmaster or other admin of a site had your password, even if he cared about it, or would you feel more comfortable knowing that your password were encrypted and very difficult to match even using brute force?

Would you like it if a webmaster or other admin of a site had your password, even if he cared about it, or would you feel more comfortable knowing that your password were encrypted and very difficult to match even using brute force?

Noway, I'm familiar with the fact that the system admin simply resets passwords. And the database admin don't need user's passwords, he can directly read the data from your tables so he does not need to know your password. I was just curious about the way to do that, I never did it by myself. I usually work with oracle, and i simply give a user a password, ask the user to change his password, and then reset the password because the user lost it.

MD5 Encription

 Encrypting Data

 

Replying to Houdini

 

This Encription is not safe Because You can easly Find The Decripted data within a single search

 

Md5 decription e358efa489f58062f10dd7316b65649e

 

Search the above word in google you will get the decripted data. So Use some simple Private encription For Better Security

 

-reply by ManuMadanan

 

-----admin opinion-----

spam.

MD5 Encription

 

 Encrypting Data

<a href=http://forums.xisto.com/topic/88822-topic/?findpost=1064338672 to Houdini</a>

 

This Encription is not safe Because You can easly Find The Decripted data within a single search

 

Md5 decription e358efa489f58062f10dd7316b65649e

 

Search the above word in google you will get the decripted data. So Use some simple Private encription For Better Security

 

-reply by ManuMadanan

 

-----admin opinion-----

spam.

That's exactly why your passwords should be more complex and not as simple as 't' ...

Find these ones for me will you:

9571f61c4138bb26c46baceda4b750c8

f2de268dc779a73c6de9e25d61a4da1f

f8b3685e8f0ca7ef4c00d599866d65dc

18191ad14376f315b9403a108dd745d4

sweet

Md5 decription e358efa489f58062f10dd7316b65649e
Search the above word in google you will get the decripted data.

You know what ? I did this google search. And the answer was : this topic !

When using just simple md5() isn't very safe these days, thats way it's much better to do a random seed and generate random strings with md5 or something, which will always be the same to look, for example I have a function like this somewhere in my scripts which is a much better way to check the password and encrypt it, normally there is no way to decrypt unless you're a tough hacker or something..

It's really quite a complex thing, but when you understand that it does when you think, wow how this is simple an brilliant

function pw_hash($pass) {	/** PW HASH() Notice! **/	// * $pass check isn't required, this	// * function should only be called from:	// * pw_encode(); && pw_check();	// Split password for every letter	$pass = str_split($pass); $salt = '';	// Hash every letter of the password	foreach ($pass as $letter) {		$salt .= bin2hex(md5($letter, true)); # for PHP4 -> md5($letter);	}	// Return the Hash of the word	return bin2hex(md5($salt, true)); # for PHP4 -> md5($salt);}function pw_encode($pass) {	// Check Input	if (is_string($pass) && !empty($pass)) {		// Hash the password for every letter		$pass = pw_hash($pass);	$seed = '';		// Make a Random Seed		for ($i = 0; $i < 8; $i++) {			$seed .= substr('0123456789abcdef', mt_rand(0,15), 1);		}		return bin2hex(md5($seed.$pass, true)).$seed; // for PHP4 ->  md5($seed.$pass).$seed;	} else {		user_error('pw_encode() The input should be non empty string', E_USER_WARNING);		return false;	}}function pw_check($pass, $value) {	// Check Input	if (is_string($pass) && is_string($value) && !empty($pass) && !empty($value)) {		// Hash the password for every letter		$pass = pw_hash($pass);		// Get the Seed		$seed = substr($value, 32, 8);		// Check the Passwords		if (bin2hex(md5($seed.$pass, true)).$seed == $value) { # for PHP4 -> md5($seed.$pass).$seed == $value			return true;		} else {			return false;		}	} else {		user_error('pw_check() The both input values should be non empty strings', E_USER_WARNING);		return false;	}}

To tell it shortly, it hashes every word and letter and hashes all those hashes into one string, I use a little bit other technique on my CMS, so I won't tell it publicly, because you can change something a little by changing some numbers and you'll get quite different results, those who knows PHP will know what it does, there are even some comments to understand its functionality..

To use them, you can do just as top post, by using some if statement and calling the functions like this:

if (pw_check($_POST['password'], $db_password) && $_POST['username'] == $db_username) { .. do something here .. } else { echo "wrong password or username in the login form or something liek that";}

If you want to encrypt the password or store it to the database, you can just do it by using the other function:

$string = $_POST['password'];$encoded_string = pw_encode($string);

You'll see that every time you get quite different random hashed string, but the meaning is the same, when you check it with the check function, it returns true all times if the words meant the same..

To continue. why using only md5() isn't safe, because there are software for hackers which have most popular dictionaries hashed with md5() for all the words on different languages and most popular symbol and numbers with letters and they take up several GB or a TB and they use it to check check with a loop, of course to prevent that you can just do a check by logging how much he tries to login or only let your php script login everyone in a timestamp of half second or do a sleep function for everyone for a second, there are much ways you can avoid this, even if the hacker has a lot of ips to use..

That's exactly why your passwords should be more complex and not as simple as 't' ...Find these ones for me will you:
9571f61c4138bb26c46baceda4b750c8
f2de268dc779a73c6de9e25d61a4da1f
f8b3685e8f0ca7ef4c00d599866d65dc
18191ad14376f315b9403a108dd745d4

Nonetheless, using md5 still isn't a great course of action. md5 has already been cracked, so really, does anyone want to take the chance with important data? I think quatrux's method with a salt is very useful--makes it quite difficult for crackers to obtain the actual password. On another note, php also has many other functions for encryption besides md5 (unfortunately, this is only available to php 5.1.2 and above...sad). With 5.1.2, there's a function called hash:

string hash ( string $algo , string $data [, bool $raw_output ] )

The $algo can be any from a long list of hash functions, including but not limited to 'sha256' (which I think is the new government standard after sha1 was kicked out of use due to it being cracked), ripemd160, whirlpool etc. Php also provides a full list of its supported hash functions with the function hash_algos (http://us2.php.net/manual/en/function.hash-algos.php). The list looks something like this:

Array(
[0]=> md4
[1] => md5
[2] => sha1
[3] => sha256
[4] => sha384
[5] => sha512
[6] => ripemd128
[7] => ripemd160
[8] => whirlpool
[9] => tiger128,3
[10] => tiger160,3
[11] => tiger192,3
[12] => tiger128,4
[13] => tiger160,4
[14] => tiger192,4
[15] => snefru
[16] => gost
[17] => adler32
[18] => crc32
[19] => crc32b
[20] => haval128,3
[21] => haval160,3
[22] => haval192,3
[23] => haval224,3
[24] => haval256,3
[25] => haval128,4
[26] => haval160,4
[27] => haval192,4
[28] => haval224,4
[29] => haval256,4
[30] => haval128,5
[31] => haval160,5
[32] => haval192,5
[33] => haval224,5
[34] => haval256,5
)

So, yes, with php 5, there are quite a variety of hash functions to choose from, including extremely secure (currently un-cracked) ones. However, if you're stuck with php 4, there's always the sha1 function, which is still quite a ways better than md5 for mid-level security things.

How do we can fetch the encrypted password into decrypted form in php,mysql ?

 Encrypting Data

 

I have inserted a password in mysql database in encrypted form using md5 but if the user forgets his password then how we can fetch the encrypted password into decrypted form ( original password)

 

-question by sharat khajuria

Note; to people who will use my method to encode/encrypt the password, it seems really a great method and it seems really hard to obtain the actual password, but one day I woke up and understood one bad thing about it:Because the password is always random and all those random passwords can evaluate to true if a check is being made, there are much bigger chance that the cracker will guess the password by using random letters and numbers and symbols, this is really quite a big flaw, I will need to rethink how it works and I ill need to make it create a one unique encrypted password to use..The only thing now I can say about this function is that if you want to hide the word, it will be hard to get it back for a cracker if he does not have the encryption function and could not be guessing.. heh! I'm really disappointed, but when you think, it still is a quite good way to store your passwords, just that it could be even better if I will make it create only one unique string..[EDIT]I think I was wrong, there's only one possibility to evaluate to true, only if the password is good, because it doesn't matter about the seed, you still check the password with pw_check(); and it only evaluates to true from writing the real password.

Edited February 24, 2009 by Quatrux (see edit history)

i always encrypted password with plus stringex:$pass = $_POST['t_password'];$en_pass=md5($pass . "string");

How do we can fetch the encrypted password into decrypted form in php,mysql ?

 

 Encrypting Data

 

 

 

I have inserted a password in mysql database in encrypted form using md5 but if the user forgets his password then how we can fetch the encrypted password into decrypted form ( original password)

 

-question by sharat khajuria

This cannot be done. MD5 is a one-way encryption algorithm, which means you can only encrypt it, not decrypt it. After all, this is what makes it secure. When a user forgets his/her password, there is no way to recover it - you can only generate a new password and send it to their e-mail address.

 

i always encrypted password with plus string

ex:

$pass = $_POST['t_password'];

$en_pass=md5($pass . "string");

It's always a good thing to add more characters to the password - even better if they are random