Encryption of password in database

[rhodarose]

Good day!

I created a simple login form. I want to know is how can encrypt the password that i already in the database. Because I have no register form only login form so that the username and password is already in the database. My problem is how can I encrypt my password, when I research about encryption of password they used md5 but when I tried it it did not encrypt my password and i got an error. and also when I input my password at textbox like for example my password is "qwerty" when I type it on the password textbox it shows qwerty i want to happen is it likes a bullet?

here is my login code:

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="text" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  
<?php
include 'connection.php';

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=$_POST['password'];


$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);


/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

Thank you

[djr33]

You want to store the password in a hashed format. This is NOT encryption, but it is secure. md5 is a slightly older algorithm, so using a newer one like sha1 might be a little better for security. These hashing algorithms are not reversable, but because md5 is so popular there are some databases of pairs of original and hashed strings.

The way that hashing works is simple: it is a one way algorithm that cannot be reversed. You can NEVER determine the password from the hash string. Instead, you try to convert the submitted password to a hash string and then compare it to the stored hash string.

Let's simplify things with a quick example:
password = 'password'
hash = '1234567890abcdef' [example]

Now, you will ONLY store that hashed value. Do not store the password.
When a user submits a password to login, you will convert that input to see if it is a match:
if ($stored = hash($submitted) ) { ... }

For example, hash('password') will return the same value as the stored value, so that means that the correct password was entered. But hash('another') will give a different value, so it means that the input was not the correct password.


Note: the algorithm is only one way, so if your users ever forget the password there is no way to retrieve it except to change the password to something new.


The relevant PHP functions are md5() and sha1(). There are others.



To update your current system you will do the following:
1. Convert all stored passwords to hashes. To this by updating every row and setting the password to sha1(password). This must be done in PHP, not in MySQL, so you will need to do it as 3 steps: 1. select/retrieve the value; 2. convert to sha1; 3. update the stored value with the new hashed value.
2. Replace $password=$_POST['password']; with: $password=sha1($_POST['password']);

Be careful! Make a backup of your database before you convert with step (1). If you make a mistake, all of the user accounts will not work, and never work again. So having a backup that you can use is important!

Note: mysql_real_escape_string() should always be used immediately before a database query or it might change the data unexpectedly. It should be run AFTER the sha1 or md5 conversion. (Technically because these functions output 16bit hexadecimal strings they will never cause any injection problems, but running it won't hurt either; but running it first, before md5() or sha1() might actually cause problems.)
Note 2: You should check to be sure these fields are actually submitted. Just because 'submit' was submitted does NOT mean that 'username' and 'password' both were submitted. It is very likely that will be true, but it is possible to (at least by tricking the system) submit without those values, and if that happens then an error will be shown.

[midhul]

You can use the password input type to get your password strings.

Code:

<input type="password">

you can get the string, in the same way as for any other text box.
in password boxes, the text will not appear while typing.




If you only have a login form, and only want to encrypt the already present password in the db, simply use mysql UPDATE query.

ex: $hashed_pass = md5($password);
Mysql_query("UPDATE userdata SET password = '$hashed_pass' WHERE username = $username");

[traq]

Code:

<input type="password">

you can get the string, in the same way as for any other text box.
in password boxes, the text will not appear while typing.

Be aware that <input type="password"> -while not displaying typed characters on the screen- does not actually encrypt anything.

It is useful to prevent "shoulder-surfing" attacks (where a co-worker, etc. glances at your screen to try to steal your password), but the password is stored and sent across the internet as plain text. No encryption at all.

So, using type="password" will show bullets in the input (instead of the typed characters), but it's Daniel's suggestion you need to be following to actually keep the user's password safe. If it's a serious issue, you might also consider using https.

[rhodarose]

I tried this code:

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  
<?php
include 'connection.php';

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=$_POST['password'];
$password = md5($password);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);

$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";
$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = $username");
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
//$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

But i got warning:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\machine_1\index.php on line 45
Wrong Username or Password


Thank you

[rhodarose]

I'm not familiar with sha1...

when I tried to used md5 the password was not read so that the condition falls to else statement.

here is my code with md5

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  
<?php
include 'connection.php';

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=$_POST['password'];
$password = md5($password);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);

//$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = $username");
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

[midhul]

Okay, lets keep this simple.
First, you want to UPDATE all the passwords in your table into md5 hashes.
For this you don't need to bring anything into your webpage, and hence instead of creating a php script, and sending queries :

Simply, get into your db, and run the following SQL:

Code:

UPDATE tbllogin SET password = MD5('password')

That will automatically hash all the fields in the password column.
So your update job is done now.

Now as djr33 mentioned above, you will need to make a change in your normal login script.

Simply, in the normal login code, where you check if the password is right,

PHP Code:

$hashed_pass = md5($password);
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'"; 


[rhodarose]

Okay, lets keep this simple.
First, you want to UPDATE all the passwords in your table into md5 hashes.
For this you don't need to bring anything into your webpage, and hence instead of creating a php script, and sending queries :

Simply, get into your db, and run the following SQL:

Code:

UPDATE tbllogin SET password = MD5('password')

That will automatically hash all the fields in the password column.
So your update job is done now.

Now as djr33 mentioned above, you will need to make a change in your normal login script.

Simply, in the normal login code, where you check if the password is right,

PHP Code:

$hashed_pass = md5($password);
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'"; 


I check my database and i see that my password is already encrypted.

my problem now is even my password and username is correct i fall in wrong username and password.

Kindly check my codes what is wrong?waht is not needed?

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  
<?php
include 'connection.php';

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=md5($_POST['password']);

//$password = '051090';

//$password = md5($password);

$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password)); 

/*$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);*/
//$password = md5($password);


//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = '$password' WHERE username = $username";
//$result=mysql_query($sql);
mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'"; 
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

[rhodarose]

I change my table in my database and now the password is not encrypted.

here is my code:

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  
<?php
include 'connection.php';

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=($_POST['password']);



$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password)); 



//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'"; 
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

$hashed_pass = md5($password); 
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

Kindly check my sql syntax?
thank you

[rhodarose]

I tried this simple code for encryption of password:

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  
<?php
include 'connection.php';

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=md5($_POST['password']);



$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password)); 



//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'"; 
$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

//$hashed_pass = md5($password); 
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}
?>
</form>
</body>
</html>

but the result is wrong username or password?and also the password in the database was not encrypted.

I really need to solved it now...

Thank you so much