Encryption of password in database

[rhodarose]

When I tried this code:

PHP Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="post" action="">
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Submit" />
  </p>
  
<?php
include 'connection.php';

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=$_POST['password'];


// encrypt password 
$encrypted_mypassword=md5($password);

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}


//$username = mysql_real_escape_string($username);

//$password = mysql_real_escape_string($password);
//$password = mysql_real_escape_string(sha1($password)); 



//$sql="UPDATE `tbllogin` SET `password` = SHA1(`password`) WHERE username = $username";

//$sql="UPDATE tbllogin SET password = MD5('password') WHERE username = '$username'";
//$result=mysql_query($sql);
//mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

//$sql = "SELECT * FROM tbllogin WHERE username='$username' and password='" . md5($password) . "'"; 
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";

//$hashed_pass = md5($password); 
//$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$hashed_pass'";
//$result=mysql_query($sql);


?>
</form>
</body>
</html>

when i run my login
the wrong username or password was display even though I am inputting anything in username and password and also when i input username and password still wrong username or password.
:crying:

I really don't know how can I fix my problem in encrypting password and login successfully.

Thank you for your help

[djr33]

Please have some patience. There is no reason to post 3 times in a row while waiting for a reply. Additionally, while it is helpful to have the code, please realize that reading through that much code takes a lot of time for us. If you want someone to design your website for you, then post in the paid work section. If not, do your best to make our work easier in helping you by limiting the size of what you post.

There are two kinds of questions: 1) system-based questions, about how to organize everything or approach a problem; and 2) detail questions about actual (small) pieces of code.

You must understand the system as in (1) before you can start in (2). This will also make it easier for us to help you.


As I explained in my first post:

To update your current system you will do the following:
1. Convert all stored passwords to hashes. To this by updating every row and setting the password to sha1(password). This must be done in PHP, not in MySQL, so you will need to do it as 3 steps: 1. select/retrieve the value; 2. convert to sha1; 3. update the stored value with the new hashed value.
2. Replace $password=$_POST['password']; with: $password=sha1($_POST['password']);

Be careful! Make a backup of your database before you convert with step (1).

All of the information you need is there (and a bit more in that earlier post). Take the time to read it a few times and understand everything. It may be difficult, but when we take the time to explain something, please try to understand all of it because it is important information for your problem. AFTER you understand all of that, you should try to fix the problem, and once you have details that need to be fixed, please post about those specifically. This means asking detailed questions like "How do I get the md5 value" or "How do I update the database", not "Here is my code, how do I fix it?".
(Of course it is always helpful to have some code that is directly relevant to the questions.)



You asked earlier about sha1 vs. md5. They are almost exactly the same. They are just different algorithms. (Also, md5 is 32 characters long, and sha1 is 40.) sha1 is a little more secure, but you can use either one. They work the same way.

[midhul]

Originally Posted by djr33
To update your current system you will do the following:
1. Convert all stored passwords to hashes. To this by updating every row and setting the password to sha1(password). This must be done in PHP, not in MySQL,

May I know the reason for this? As I said in my previous post, I though it was better to update through a query in MYSQL directly, because, we're doing it only once. If it's done via php, if executed more than once, it can cause blunders.

I'm not very experienced in this area, so I'd like to know, if there is any advantage of doing it in PHP

[traq]

May I know the reason for this? As I said in my previous post, I though it was better to update through a query in MYSQL directly, because, we're doing it only once. If it's done via php, if executed more than once, it can cause blunders.

I'm not very experienced in this area, so I'd like to know, if there is any advantage of doing it in PHP

it should work either way.

regardless of the method, I think the two parts that really need to be emphasized are:

if executed more than once, it can cause blunders

Be careful! Make a backup of your database before you convert with step (1).

rhodarose, I'd suggest trying this with a new, "test" script, on a new database table created just for this experiment. Once you get it working, you'll better understand what's going on and then you can look at how to integrate it with your full system.

[djr33]

Midhul, you're right. I didn't realize that MySQL had an MD5() function. It appears that this will work very well. It's also easier. Thanks for pointing that out.
There is also a MySQL SHA1() function.


The only advantage of doing this in PHP would be to make sure that everything is consistent. However, since MD5 and SHA1 are standard algorithms, I expect that they will return exactly the same results in both languages-- a quick test of this might be good, but if they work this way then there's no disadvantage.


In conclusion, the method in your first post is the simplest way to do this. (There are a lot of posts in this thread to keep track of, so I'm sorry I didn't notice that earlier.)

[rhodarose]

Thank you so much for your help.

I used this code and it works:

PHP Code:

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<style type="text/css">
#form1 h2 strong {
    color: #06F;
    font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
}
#form1 p label {
    color: #009;
}
</style>
</head>

<body onload="document.form1.username.focus()">
<form id="form1" name="form1" method="post" action="">
  <h2><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;LOGIN FORM</strong></h2>
  <p>
    <label for="username">Username:&nbsp;</label>
    <input type="text" name="username" id="username" />
  </p>
  <p>
    <label for="password">Password:&nbsp;</label>
    <input type="password" name="password" id="password" />
  </p>
  <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input type="submit" name="submit" id="submit" value="Sign In" />
  </p>
  
<?php

   
  if (isset($_SESSION['logged_in'])) {
     header('Location:machine1.php');
     die();
  }


include 'connection.php';

/*if($numofrows==1){

            session_register("username");
            header("location:machine1.php");

        }*/

 if (isset($_POST['submit'])) {
$username=$_POST['username']; 
$password=$_POST['password'];


$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string(sha1($password));


mysql_query("UPDATE tbllogin SET password = '$password' WHERE username = '$username'");

$sql="SELECT * FROM tbllogin WHERE username='$username' and password='$password'";


$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){  
     $_SESSION['logged_in'] = true;
    header("location:machine1.php");
}
else {
echo "Wrong Username or Password";
}
}

?>
</form>
</body>
</html>

[traq]

PHP Code:

$password = mysql_real_escape_string(sha1($password)); 


just FYI, this is one instance where you don't really need to escape your data. sha1() (and md5(), too) produces a hash that is represented by only alphanumeric characters.

using mysql_real_escape_string() won't hurt anything, of course, but in this case there will never be anything to escape, and it will return the same string you give it (at the cost of a few processing cycles).

[midhul]

From what I can see, I guess you're going to use this script to check login, every time a user logs in.

So if a user logs in twice, you script will hash repeatedly, meaning it will hash the already hashed password -> BLUNDER!

You db fields must be updated only once, so that all the passwords are hashed. once you update, they stay like that until you update again, So I don't get the point of running update every time users log in.

[djr33]

This also isn't secure: any submitted password will work and be saved as the new password.

As Midhul says, you need to update everything one time-- when YOU load the page. Then disable that page (or even delete it), and after that let the users log in and convert using sha1() or md5() and ONLY check if it matches the already stored password.