Namran Hussin Webdesign How to use SHA1 or MD5 encrypted in user password into MySQL table

How to use SHA1 or MD5 encrypted in user password into MySQL table

Well, there have been a fuss around the globe regarding the user data.
And how well we had done to protect their interest on our side.

Online forum, portal.. and all sort of password-required to access.
Should really not put the password on the plaintext on MySQL table or even on the textfile.
Provided the administrator access is easily slipped.. one shouldn’t take the user password for easy viewing..

Here is some example of getting the simple “SHA1” into user table in place..

 /* Store user details */
 $passwordHash = sha1($_POST['password']);
 $sql = 'INSERT INTO user (username,passwordHash) VALUES (?,?)';
 $result = $db->query($sql, array($_POST['username'], $passwordHash));

or

  $query = sprintf("INSERT INTO USER ( username,passwordHash) VALUES ('%s','%s' )",
    mysql_real_escape_string($_POST['username']),
    sha1(mysql_real_escape_string($_POST['password'] )) );
   // Perform SQL Query
 $result = mysql_query($query);


[ad#postad]
.. so it got something like this is user table ..
sql-user-table

For login form..

      $userid =  mysql_escape_string($_REQUEST['login_id']);
      $userpassword = sha1($_REQUEST['password']);
      # here do whatever u need to auth.
      # check for matching user id and password in local database
      $processor = new DatabaseClassName();
      $processor->login($userid,$userpassword);

and somewhere in the library or whatsoever..

  DatabaseClassName  {
  function DatabaseClassName () {
    session_start ();
  }
  function do_login ($user,$password) {
      $sqlstatement = sprintf ( "SELECT count(*) AS UserCount FROM user_table ".
        "WHERE username = '%s' AND ".
        "pw='%s'",$user,$password);
      $sqlq = mysql_query($sqlstatement,$db);
      $users = mysql_fetch_array( $sqlq,MYSQL_ASSOC);
      $result = $users['UserCount'];

      if ( $users['UserCount'] == 1) {
        $this->logged_in ($user);
      };
      return ($result == 1);
   }

 function logged_in ($user) {
  $_SESSION['id'] = $user;
  $_SESSION['ip']  = $_SERVER['REMOTE_ADDRESS'];
  $_SESSION['timeout'] = time()  + 10;
 }

 function logout () {
  $_SESSION= array();
  session_unset();
  session_destroy ();
 }
}

[ad#postad]
…Hmm..

For md5.. just need to changed “sha1” to “md5”..

      $userpassword = sha1($_REQUEST['password']);

to

      $userpassword = md5($_REQUEST['password']);

** update..
if want to use SHA-256

  $userpassword = sha256($_REQUEST['password']);

but if using SHA-256 .. you might have to calculate the hash by yourself before adding it via phpMyAdmin interface..
as the function there only up to MD5 and SHA1.i think.
function-in-phpmyadmin-sha1

.. can also add some noise.. or salt.. and whatever craps to it.. to make it harder.. a bit.

it might be still be spoofed/ sniffed by ip address or browser and all..
but at least.. it should not leave the user password in plaintext format somewhere in server itself..

Further read up.. Web Auth[pdf].

p/s : just my two cents ..

8 thoughts on “How to use SHA1 or MD5 encrypted in user password into MySQL table”

  1. Hi namran, you should not use MD5 hashing as “encryption” for passwords. Why? I wrote in my blog how easy it is to crack MD5 passwords using local software (see http://www.stottmeister.com/blog/2009/06/29/how-to-crack-md5-passwords-with-john-the-ripper-a-live-example-exploiting-typo3/ ) and using online services (see http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/ ). These articles tell you how to crack MD5 hashes quite easily (for educational purposes only). So please don’t use MD5 as password “encryption”.

    Even SHA-1 is considered unsafe nowadays. Better use a new hashing mechanism such as SHA-256 or something similiar.

    Best regards
    Stotti

    1. Hi Stotti,

      Thanks for your comment.

      apparently to change that to use SHA-256 ..
      just need to change the line ..
      md5()
      to use sha256 by …
      sha256()

      and have to make sure the password field length in SQL table is long enough to store the hash..
      .. and you’ll be not able to add new user via phpMyAdmin interface as no built in sha256 interface there and have to calculate your password yourself..

      correct ?

  2. Sweet blog! I found it while surfing around on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Many thanks

  3. Everyone l?ughed making an attempt to imagine ?hat kind off birthda? celebrat?on Maary and Joseph gave for J?sus when He was six.

    Larry pu?zled, ?I wager he liked the id?ntical form of toys we like.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Backup ServerBackup Server

“eh.. how come your website down ? have been suspended ?” .. ahaha.. “err…dun know..” .. kind of the shameful conversation after all… then i’ve decided to get some backup