Encryption of password in database [Archive]

View Full Version : Encryption of password in database

rhodarose

05-06-2011, 04:02 AM

Good day!

I created a simple login form. I want to know is how can encrypt the password that i already in the database. Because I have no register form only login form so that the username and password is already in the database. My problem is how can I encrypt my password, when I research about encryption of password they used md5 but when I tried it it did not encrypt my password and i got an error. and also when I input my password at textbox like for example my password is "qwerty" when I type it on the password textbox it shows qwerty i want to happen is it likes a bullet?

here is my login code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="text" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

Thank you

djr33

05-06-2011, 04:25 AM

You want to store the password in a hashed format. This is NOT encryption, but it is secure. md5 is a slightly older algorithm, so using a newer one like sha1 might be a little better for security. These hashing algorithms are not reversable, but because md5 is so popular there are some databases of pairs of original and hashed strings.

The way that hashing works is simple: it is a one way algorithm that cannot be reversed. You can NEVER determine the password from the hash string. Instead, you try to convert the submitted password to a hash string and then compare it to the stored hash string.

Let's simplify things with a quick example:
password = 'password'
hash = '1234567890abcdef' [example]

Now, you will ONLY store that hashed value. Do not store the password.
When a user submits a password to login, you will convert that input to see if it is a match:
if ($stored = hash($submitted) ) { ... }

For example, hash('password') will return the same value as the stored value, so that means that the correct password was entered. But hash('another') will give a different value, so it means that the input was not the correct password.

Note: the algorithm is only one way, so if your users ever forget the password there is no way to retrieve it except to change the password to something new.

The relevant PHP functions are md5() and sha1(). There are others.

To update your current system you will do the following:
1. Convert all stored passwords to hashes. To this by updating every row and setting the password to sha1(password). This must be done in PHP, not in MySQL, so you will need to do it as 3 steps: 1. select/retrieve the value; 2. convert to sha1; 3. update the stored value with the new hashed value.
2. Replace $password=$_POST['password']; with: $password=sha1($_POST['password']);

Be careful! Make a backup of your database before you convert with step (1). If you make a mistake, all of the user accounts will not work, and never work again. So having a backup that you can use is important!

Note: mysql_real_escape_string() should always be used immediately before a database query or it might change the data unexpectedly. It should be run AFTER the sha1 or md5 conversion. (Technically because these functions output 16bit hexadecimal strings they will never cause any injection problems, but running it won't hurt either; but running it first, before md5() or sha1() might actually cause problems.)
Note 2: You should check to be sure these fields are actually submitted. Just because 'submit' was submitted does NOT mean that 'username' and 'password' both were submitted. It is very likely that will be true, but it is possible to (at least by tricking the system) submit without those values, and if that happens then an error will be shown.

midhul

05-06-2011, 04:33 AM

You can use the password input type to get your password strings.

<input type="password">

you can get the string, in the same way as for any other text box.
in password boxes, the text will not appear while typing.

If you only have a login form, and only want to encrypt the already present password in the db, simply use mysql UPDATE query.

ex: $hashed_pass = md5($password);
Mysql_query("UPDATE userdata SET password = '$hashed_pass' WHERE username = $username");

traq

05-06-2011, 04:47 AM

<input type="password">

you can get the string, in the same way as for any other text box.
in password boxes, the text will not appear while typing.

Be aware that <input type="password"> -while not displaying typed characters on the screen- does not actually encrypt anything.

It is useful to prevent "shoulder-surfing" attacks (where a co-worker, etc. glances at your screen to try to steal your password), but the password is stored and sent across the internet as plain text. No encryption at all.

So, using type="password" will show bullets in the input (instead of the typed characters), but it's Daniel's suggestion you need to be following to actually keep the user's password safe. If it's a serious issue, you might also consider using https.

rhodarose

05-06-2011, 04:48 AM

I tried this code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];
$password = md5($password);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);

$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";
$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = $username");
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
//$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

But i got warning:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\machine_1\index.php on line 45
Wrong Username or Password

Thank you

rhodarose

05-06-2011, 04:53 AM

I'm not familiar with sha1...

when I tried to used md5 the password was not read so that the condition falls to else statement.

here is my code with md5

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];
$password = md5($password);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);

//$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = $username");
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

midhul

05-06-2011, 05:34 AM

rhodarose

05-06-2011, 05:45 AM

Okay, lets keep this simple.
First, you want to UPDATE all the passwords in your table into md5 hashes.
For this you don't need to bring anything into your webpage, and hence instead of creating a php script, and sending queries :

Simply, get into your db, and run the following SQL:

UPDATE tbllogin SET password = MD5('password')

That will automatically hash all the fields in the password column.
So your update job is done now.

Now as djr33 mentioned above, you will need to make a change in your normal login script.

Simply, in the normal login code, where you check if the password is right,

$hashed_pass = md5($password);
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";

I check my database and i see that my password is already encrypted.

my problem now is even my password and username is correct i fall in wrong username and password.

Kindly check my codes what is wrong?waht is not needed?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=md5($_POST['password']);

//$password = '051090';

//$password = md5($password);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password));

/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);

//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";
//$result=mysql_query($sql);
mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'";
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

rhodarose

05-06-2011, 05:56 AM

I change my table in my database and now the password is not encrypted.

here is my code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=($_POST['password']);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password));

//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'";
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

$hashed_pass = md5($password);
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

Kindly check my sql syntax?
thank you

rhodarose

05-06-2011, 06:19 AM

I tried this simple code for encryption of password:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=md5($_POST['password']);

$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password));

//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'";
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

//$hashed_pass = md5($password);
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

but the result is wrong username or password?and also the password in the database was not encrypted.

I really need to solved it now...

Thank you so much

rhodarose

05-06-2011, 06:42 AM

When I tried this code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Submit" />
</p>

<?php
include 'connection.php';

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];

// encrypt password
$encrypted_mypassword=md5($password);

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}

//$username = mysql_real_escape_string($username);

//$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password));

//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'";
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

//$hashed_pass = md5($password);
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
//$result=mysql_query($sql);

?>
</form>
</body>
</html>

when i run my login
the wrong username or password was display even though I am inputting anything in username and password and also when i input username and password still wrong username or password.
:crying:

I really don't know how can I fix my problem in encrypting password and login successfully.

Thank you for your help

djr33

05-06-2011, 07:23 AM

Please have some patience. There is no reason to post 3 times in a row while waiting for a reply. Additionally, while it is helpful to have the code, please realize that reading through that much code takes a lot of time for us. If you want someone to design your website for you, then post in the paid work section. If not, do your best to make our work easier in helping you by limiting the size of what you post.

There are two kinds of questions: 1) system-based questions, about how to organize everything or approach a problem; and 2) detail questions about actual (small) pieces of code.

You must understand the system as in (1) before you can start in (2). This will also make it easier for us to help you.

As I explained in my first post:

To update your current system you will do the following:
1. Convert all stored passwords to hashes. To this by updating every row and setting the password to sha1(password). This must be done in PHP, not in MySQL, so you will need to do it as 3 steps: 1. select/retrieve the value; 2. convert to sha1; 3. update the stored value with the new hashed value.
2. Replace $password=$_POST['password']; with: $password=sha1($_POST['password']);

Be careful! Make a backup of your database before you convert with step (1).

All of the information you need is there (and a bit more in that earlier post). Take the time to read it a few times and understand everything. It may be difficult, but when we take the time to explain something, please try to understand all of it because it is important information for your problem. AFTER you understand all of that, you should try to fix the problem, and once you have details that need to be fixed, please post about those specifically. This means asking detailed questions like "How do I get the md5 value" or "How do I update the database", not "Here is my code, how do I fix it?".
(Of course it is always helpful to have some code that is directly relevant to the questions.)

You asked earlier about sha1 vs. md5. They are almost exactly the same. They are just different algorithms. (Also, md5 is 32 characters long, and sha1 is 40.) sha1 is a little more secure, but you can use either one. They work the same way.

midhul

05-06-2011, 07:43 AM

Originally Posted by djr33
To update your current system you will do the following:
1. Convert all stored passwords to hashes. To this by updating every row and setting the password to sha1(password). This must be done in PHP, not in MySQL,

May I know the reason for this? As I said in my previous post, I though it was better to update through a query in MYSQL directly, because, we're doing it only once. If it's done via php, if executed more than once, it can cause blunders.

I'm not very experienced in this area, so I'd like to know, if there is any advantage of doing it in PHP

traq

05-06-2011, 03:52 PM

May I know the reason for this? As I said in my previous post, I though it was better to update through a query in MYSQL directly, because, we're doing it only once. If it's done via php, if executed more than once, it can cause blunders.

I'm not very experienced in this area, so I'd like to know, if there is any advantage of doing it in PHP
it should work either way.

regardless of the method, I think the two parts that really need to be emphasized are:

if executed more than once, it can cause blunders

Be careful! Make a backup of your database before you convert with step (1).

rhodarose, I'd suggest trying this with a new, "test" script, on a new database table created just for this experiment. Once you get it working, you'll better understand what's going on and then you can look at how to integrate it with your full system.

djr33

05-06-2011, 05:02 PM

Midhul, you're right. I didn't realize that MySQL had an MD5() function. It appears that this will work very well. It's also easier. Thanks for pointing that out.
There is also a MySQL SHA1() function.

The only advantage of doing this in PHP would be to make sure that everything is consistent. However, since MD5 and SHA1 are standard algorithms, I expect that they will return exactly the same results in both languages-- a quick test of this might be good, but if they work this way then there's no disadvantage.

In conclusion, the method in your first post is the simplest way to do this. (There are a lot of posts in this thread to keep track of, so I'm sorry I didn't notice that earlier.)

rhodarose

05-09-2011, 03:44 AM

Thank you so much for your help.

I used this code and it works:

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<style type="text/css">
#form1 h2 strong {
color: #06F;
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
}
#form1 p label {
color: #009;
}
</style>
</head>

<body onload="document.form1.username.focus()">
<form id="form1" name="form1" method="post" action="">
<h2><strong>       LOGIN FORM</strong></h2>
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" />
</p>
<p>                    
<input type="submit" name="submit" id="submit" value="Sign In" />
</p>

<?php

if (isset($_SESSION['logged_in'])) {
header('Location:machine1.php');
die();
}

include 'connection.php';

/*if($numofrows==1){

session_register("username");
header("location:machine1.php");

}*/

if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string(sha1($password));

mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
$_SESSION['logged_in'] = true;
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}

?>
</form>
</body>
</html>

traq

05-09-2011, 05:07 AM

$password = mysql_real_escape_string(sha1($password));
just FYI, this is one instance where you don't really need to escape your data. sha1() (and md5(), too) produces a hash that is represented by only alphanumeric characters.

using mysql_real_escape_string() won't hurt anything, of course, but in this case there will never be anything to escape, and it will return the same string you give it (at the cost of a few processing cycles).

midhul

05-09-2011, 05:32 AM

From what I can see, I guess you're going to use this script to check login, every time a user logs in.

So if a user logs in twice, you script will hash repeatedly, meaning it will hash the already hashed password -> BLUNDER!

You db fields must be updated only once, so that all the passwords are hashed. once you update, they stay like that until you update again, So I don't get the point of running update every time users log in.

djr33

05-09-2011, 05:57 AM

This also isn't secure: any submitted password will work and be saved as the new password.

As Midhul says, you need to update everything one time-- when YOU load the page. Then disable that page (or even delete it), and after that let the users log in and convert using sha1() or md5() and ONLY check if it matches the already stored password.