Navigate
X
    Namran Hussin
  • 15 years ago
    • Categories: Webdesign

How to use SHA1 or MD5 encrypted in user password into MySQL table

Well, there have been a fuss around the globe regarding the user data.
And how well we had done to protect their interest on our side.

Online forum, portal.. and all sort of password-required to access.
Should really not put the password on the plaintext on MySQL table or even on the textfile.
Provided the administrator access is easily slipped.. one shouldn’t take the user password for easy viewing..

Here is some example of getting the simple “SHA1” into user table in place..

 /* Store user details */ $passwordHash = sha1($_POST['password']);
 $sql = 'INSERT INTO user (username,passwordHash) VALUES (?,?)';
 $result = $db->query($sql, array($_POST['username'], $passwordHash));

or 

  $query = sprintf("INSERT INTO USER ( username,passwordHash) VALUES ('%s','%s' )",
    mysql_real_escape_string($_POST['username']),
    sha1(mysql_real_escape_string($_POST['password'] )) );
   // Perform SQL Query
 $result = mysql_query($query);



.. so it got something like this is user table ..

For login form..

      $userid =  mysql_escape_string($_REQUEST['login_id']);
      $userpassword = sha1($_REQUEST['password']);
      # here do whatever u need to auth.
      # check for matching user id and password in local database
      $processor = new DatabaseClassName();
      $processor->login($userid,$userpassword);

and somewhere in the library or whatsoever.. 

  DatabaseClassName  {
   DatabaseClassName () {
    session_start ();
  }
   do_login ($user,$password) {
      $sqlstatement = sprintf ( "SELECT count(*) AS UserCount FROM user_table ".
        "WHERE username = '%s' AND ".
        "pw='%s'",$user,$password);
      $sqlq = mysql_query($sqlstatement,$db);
      $users = mysql_fetch_array( $sqlq,MYSQL_ASSOC);
      $result = $users['UserCount'];

      if ( $users['UserCount'] == 1) {
        $this->logged_in ($user);
      };
      return ($result == 1);
   }

  logged_in ($user) {
  $_SESSION['id'] = $user;
  $_SESSION['ip']  = $_SERVER['REMOTE_ADDRESS'];
  $_SESSION['timeout'] = time()  + 10;
 }

  logout () {
  $_SESSION= array();
  session_unset();
  session_destroy ();
 }
}


…Hmm..

For md5.. just need to changed “sha1” to “md5”..

      $userpassword = sha1($_REQUEST['password']);

to 

      $userpassword = md5($_REQUEST['password']);

** update..
if want to use SHA-256

  $userpassword = sha256($_REQUEST['password']);

but if using SHA-256 .. you might have to calculate the hash by yourself before adding it via phpMyAdmin interface..
as the there only up to MD5 and SHA1.i think.

.. can also add some noise.. or salt.. and whatever craps to it.. to make it harder.. a bit.

it might be still be spoofed/ sniffed by ip address or browser and all..
but at least.. it should not leave the user password in plaintext format somewhere in server itself..

Further read up.. Web Auth[pdf].

p/s : just my two cents ..

Related posts:

  1. Installing Moodle in Centos 5 with mySQL
  2. Automatic backup content from wordpress to another mirror site
  3. PHP tips : how to sort and reverse sort an array
  4. ICt-hardware user acceptance test
Tags: md5mysqlphpsha1
Namran Hussin: a soft spoken guy... with exceptional interest in computers and technology. I love to learn new thing and also love to break thing for the sake of learning.. but I do abide to the self-imposed limitation or certain thing such as social thing in life, thing can be done and thing that must be avoided at whatever cost such as drug,illegal tracking, smoke,illicit activity..etc.muahahaha let's share what we had in this short term of the life.! make it worth of the living.~

View Comments (7)

Leave a Comment
Related Post
  1. Redirect homepage with .htaccess

    To temporarily redirect the whole website under a folder to a new domain. Using .htaccess,…

Leave a Comment