Well, there have been a fuss around the globe regarding the user data.
And how well we had done to protect their interest on our side.
Online forum, portal.. and all sort of password-required to access.
Should really not put the password on the plaintext on MySQL table or even on the textfile.
Provided the administrator access is easily slipped.. one shouldn’t take the user password for easy viewing..
Here is some example of getting the simple “SHA1” into user table in place..
/* Store user details */
$passwordHash = sha1($_POST['password']);
$sql = 'INSERT INTO user (username,passwordHash) VALUES (?,?)';
$result = $db->query($sql, array($_POST['username'], $passwordHash));
or
$query = sprintf("INSERT INTO USER ( username,passwordHash) VALUES ('%s','%s' )",
mysql_real_escape_string($_POST['username']),
sha1(mysql_real_escape_string($_POST['password'] )) );
// Perform SQL Query
$result = mysql_query($query);
[ad#postad]
.. so it got something like this is user table ..
For login form..
$userid = mysql_escape_string($_REQUEST['login_id']);
$userpassword = sha1($_REQUEST['password']);
# here do whatever u need to auth.
# check for matching user id and password in local database
$processor = new DatabaseClassName();
$processor->login($userid,$userpassword);
and somewhere in the library or whatsoever..
DatabaseClassName {
function DatabaseClassName () {
session_start ();
}
function do_login ($user,$password) {
$sqlstatement = sprintf ( "SELECT count(*) AS UserCount FROM user_table ".
"WHERE username = '%s' AND ".
"pw='%s'",$user,$password);
$sqlq = mysql_query($sqlstatement,$db);
$users = mysql_fetch_array( $sqlq,MYSQL_ASSOC);
$result = $users['UserCount'];
if ( $users['UserCount'] == 1) {
$this->logged_in ($user);
};
return ($result == 1);
}
function logged_in ($user) {
$_SESSION['id'] = $user;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDRESS'];
$_SESSION['timeout'] = time() + 10;
}
function logout () {
$_SESSION= array();
session_unset();
session_destroy ();
}
}
[ad#postad]
…Hmm..
For md5.. just need to changed “sha1” to “md5”..
$userpassword = sha1($_REQUEST['password']);
to
$userpassword = md5($_REQUEST['password']);
** update..
if want to use SHA-256
$userpassword = sha256($_REQUEST['password']);
but if using SHA-256 .. you might have to calculate the hash by yourself before adding it via phpMyAdmin interface..
as the function there only up to MD5 and SHA1.i think.
.. can also add some noise.. or salt.. and whatever craps to it.. to make it harder.. a bit.
it might be still be spoofed/ sniffed by ip address or browser and all..
but at least.. it should not leave the user password in plaintext format somewhere in server itself..
Further read up.. Web Auth[pdf].
p/s : just my two cents ..
Hi namran, you should not use MD5 hashing as “encryption” for passwords. Why? I wrote in my blog how easy it is to crack MD5 passwords using local software (see http://www.stottmeister.com/blog/2009/06/29/how-to-crack-md5-passwords-with-john-the-ripper-a-live-example-exploiting-typo3/ ) and using online services (see http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/ ). These articles tell you how to crack MD5 hashes quite easily (for educational purposes only). So please don’t use MD5 as password “encryption”.
Even SHA-1 is considered unsafe nowadays. Better use a new hashing mechanism such as SHA-256 or something similiar.
Best regards
Stotti
Hi Stotti,
Thanks for your comment.
apparently to change that to use SHA-256 ..
just need to change the line ..
md5()
to use sha256 by …
sha256()
and have to make sure the password field length in SQL table is long enough to store the hash..
.. and you’ll be not able to add new user via phpMyAdmin interface as no built in sha256 interface there and have to calculate your password yourself..
correct ?
Be sure to salt your hashes if you do use the MD5 algorithm. Simple reverse lookup attacks could crack your hashes otherwise. There are sites such as http://ww.netmd5crack.com and http://gdataonline.com that specialize in this sort of attack.
Brian
Hash cracker is a web-service that allows you to encrypt your passwords
or crack your hashed passwords with MD5, SHA1 or NTLM algorithms.
You can also encode or decode texts with Base64 system.
http://www.hash-cracker.com
Video tutorial:
http://www.youtube.com/watch?v=JVxdQPdGXec
Mueller Sports Medicine Turnover http://www.mishymashy.com/ – effexor sale The medication usually needs to be tapered slowly to avoid the withdrawal symptoms that can be very uncomfortable. cheapest effexor
Sweet blog! I found it while surfing around on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Many thanks
Everyone l?ughed making an attempt to imagine ?hat kind off birthda? celebrat?on Maary and Joseph gave for J?sus when He was six.
Larry pu?zled, ?I wager he liked the id?ntical form of toys we like.
can i buy priligy in mexico coli 16S rDNA have been shown to confer resistance to doxycycline