Programming Forums > Web Development and Design > PHP

OpenLoop · Aug 22nd, 2005, 11:21 AM

I'm developing a website in php with a MySql database. The website has a login page that reads the user data from localdb.logins where localdb is my database. Although I'm only developing the site to learn PHP, I like to get into good practices so I was wondering, how do you go about encrypting the username and password fields IN THE DATABASE?

Currently, here's the schema for the logins table:

(Toggle Plain Text)

mysql> describe logins;
+----------+-------------+------+-----+---------+-------+
| Field    | Type        | Null | Key | Default | Extra |
+----------+-------------+------+-----+---------+-------+
| username | varchar(20) |      | PRI |         |       |
| password | varchar(20) | YES  |     | NULL    |       |
+----------+-------------+------+-----+---------+-------+
2 rows in set (0.00 sec)

mysql>

Polyphemus_ · Aug 22nd, 2005, 11:32 AM

You should encode the password in the database using MD5, it's easy - just insert the value with MD5( before and a ) after

. The clientside should encrypt the password as well, also with MD5 (there are some nice javascripts on the internet), and send it as a form. You compare then the hashed passwords.
You could do the same with the username - but it's not necessary.

Hope this helps

Infinite Recursion · Aug 22nd, 2005, 11:33 AM

Try this to encrypt the password entry of new users:

INSERT INTO logins (username,password) VALUES ('billybob',PASSWORD('mypasswd'));

Pizentios · Aug 22nd, 2005, 11:46 AM

if you want something better than MD5 php will need mcrypt support compiled in. Take a look at the mcrypt functions on the php website.

http://ca3.php.net/manual/en/ref.mcrypt.php

mcrypt supports: DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes.

it also supports some ciphers that are not free (free as in beer) as well, but i don't think you'd be using them.

Polyphemus_ · Aug 22nd, 2005, 11:49 AM

I recommend starting with MD5, when it works you can also switch to a better way of encrypting

BlazingWolf · Aug 22nd, 2005, 11:58 AM

MD5 is the easiest way to go for passwords. Which is all you really need to do besides mabey e-mails(don't want spammers getting your memebers e-mails) but for that you will need mycrypt which is a bit confusing when your start but one you get the hang of it it's simple.

Pizentios · Aug 22nd, 2005, 12:01 PM

i found mcrypt pretty easy to use.

OpenLoop · Aug 22nd, 2005, 12:03 PM

Thanks for the help guys. For now, I'll go with the easy stuff. But if I ever go public with the website, I will use mcrypt and encrypt the password on the client-side as well.

EDIT: Just a note, PASSWORD() seems to be better than MD5() and just as easy:
MD5('cheaito') = 3aff9b940d4a940cfad131e6bbde779a
PASSWORD('cheaito') = *0DBF924D6D6CB7167F217C55F29FF9F875406960

BTW that's not my actual password.

iignotus · Aug 22nd, 2005, 12:06 PM

Like polyphemus_ said, start with MD5. It's what I use. If you're really paranoid, though, you can always do SHA-1 or generate longer hashes. Try taking the hash of a small section of the pass in addition to the hash of the original:

(Toggle Plain Text)

The pass is 'supermario'.
supermario = c1210473c214e0cf5968bf147ed079d9
  perma    = b96cf03f098f56ce6d426ae878667d10
New hash of original pass (supermario) is 'c1210473c214e0cf5968bf147ed079d9b96cf03f098f56ce6d426ae878667d10'

That's slower and whatnot, but if you're paranoid, it's much more secure.

Polyphemus_ · Aug 22nd, 2005, 12:30 PM

Quote:

Originally Posted by OpenLoop

Thanks for the help guys. For now, I'll go with the easy stuff. But if I ever go public with the website, I will use mcrypt and encrypt the password on the client-side as well.

EDIT: Just a note, PASSWORD() seems to be better than MD5() and just as easy:
MD5('cheaito') = 3aff9b940d4a940cfad131e6bbde779a
PASSWORD('cheaito') = *0DBF924D6D6CB7167F217C55F29FF9F875406960

BTW that's not my actual password.

PASSWORD looks idd better than MD5, but I'm not sure there are javascripts around on the internet to encode the password the same way.

Aug 22nd, 2005, 11:21 AM	#1
OpenLoop Expert Programmer Join Date: May 2005 Location: East Lansing, MI Posts: 663 Rep Power: 4	Encrypting sensitive data I'm developing a website in php with a MySql database. The website has a login page that reads the user data from localdb.logins where localdb is my database. Although I'm only developing the site to learn PHP, I like to get into good practices so I was wondering, how do you go about encrypting the username and password fields IN THE DATABASE? Currently, here's the schema for the logins table: (Toggle Plain Text) mysql> describe logins; +----------+-------------+------+-----+---------+-------+ \| Field \| Type \| Null \| Key \| Default \| Extra \| +----------+-------------+------+-----+---------+-------+ \| username \| varchar(20) \| \| PRI \| \| \| \| password \| varchar(20) \| YES \| \| NULL \| \| +----------+-------------+------+-----+---------+-------+ 2 rows in set (0.00 sec) mysql> mysql> describe logins; +----------+-------------+------+-----+---------+-------+ \| Field \| Type \| Null \| Key \| Default \| Extra \| +----------+-------------+------+-----+---------+-------+ \| username \| varchar(20) \| \| PRI \| \| \| \| password \| varchar(20) \| YES \| \| NULL \| \| +----------+-------------+------+-----+---------+-------+ 2 rows in set (0.00 sec) mysql>

Aug 22nd, 2005, 11:33 AM	#3
Infinite Recursion Programming Guru Join Date: Jul 2004 Location: United States Posts: 3,467 Rep Power: 8	Try this to encrypt the password entry of new users: INSERT INTO logins (username,password) VALUES ('billybob',PASSWORD('mypasswd')); __________________ http://jasonpowers.net "There are a thousand hacking at the branches of evil to one who is striking at the root."

Aug 22nd, 2005, 11:46 AM	#4
Pizentios Programming Guru Join Date: May 2004 Location: Brandon, Manitoba, Canada Posts: 2,023 Rep Power: 7	if you want something better than MD5 php will need mcrypt support compiled in. Take a look at the mcrypt functions on the php website. http://ca3.php.net/manual/en/ref.mcrypt.php mcrypt supports: DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes. it also supports some ciphers that are not free (free as in beer) as well, but i don't think you'd be using them. __________________ Profanity is the one language that all programmers understand. Check out my Blog <---updated Nov 30 2007!

Aug 22nd, 2005, 11:58 AM	#6
BlazingWolf Hobbyist Programmer Join Date: Sep 2004 Posts: 207 Rep Power: 5	MD5 is the easiest way to go for passwords. Which is all you really need to do besides mabey e-mails(don't want spammers getting your memebers e-mails) but for that you will need mycrypt which is a bit confusing when your start but one you get the hang of it it's simple. __________________ _______________________________ BlazingWolf

Aug 22nd, 2005, 12:01 PM	#7
Pizentios Programming Guru Join Date: May 2004 Location: Brandon, Manitoba, Canada Posts: 2,023 Rep Power: 7	i found mcrypt pretty easy to use. __________________ Profanity is the one language that all programmers understand. Check out my Blog <---updated Nov 30 2007!

Aug 22nd, 2005, 11:32 AM	#2
Polyphemus_ Expert Programmer Join Date: Aug 2005 Location: Rotterdam, the Netherlands Posts: 942 Rep Power: 4	You should encode the password in the database using MD5, it's easy - just insert the value with MD5( before and a ) after . The clientside should encrypt the password as well, also with MD5 (there are some nice javascripts on the internet), and send it as a form. You compare then the hashed passwords. You could do the same with the username - but it's not necessary. Hope this helps

Aug 22nd, 2005, 11:49 AM	#5
Polyphemus_ Expert Programmer Join Date: Aug 2005 Location: Rotterdam, the Netherlands Posts: 942 Rep Power: 4	I recommend starting with MD5, when it works you can also switch to a better way of encrypting

Aug 22nd, 2005, 12:03 PM	#8
OpenLoop Expert Programmer Join Date: May 2005 Location: East Lansing, MI Posts: 663 Rep Power: 4	Thanks for the help guys. For now, I'll go with the easy stuff. But if I ever go public with the website, I will use mcrypt and encrypt the password on the client-side as well. EDIT: Just a note, PASSWORD() seems to be better than MD5() and just as easy: MD5('cheaito') = 3aff9b940d4a940cfad131e6bbde779a PASSWORD('cheaito') = *0DBF924D6D6CB7167F217C55F29FF9F875406960 BTW that's not my actual password.

Aug 22nd, 2005, 12:06 PM	#9
iignotus Professional Programmer Join Date: Apr 2005 Location: Nowhere Special Posts: 466 Rep Power: 4	Like polyphemus_ said, start with MD5. It's what I use. If you're really paranoid, though, you can always do SHA-1 or generate longer hashes. Try taking the hash of a small section of the pass in addition to the hash of the original: (Toggle Plain Text) The pass is 'supermario'. supermario = c1210473c214e0cf5968bf147ed079d9 perma = b96cf03f098f56ce6d426ae878667d10 New hash of original pass (supermario) is 'c1210473c214e0cf5968bf147ed079d9b96cf03f098f56ce6d426ae878667d10' The pass is 'supermario'. supermario = c1210473c214e0cf5968bf147ed079d9 perma = b96cf03f098f56ce6d426ae878667d10 New hash of original pass (supermario) is 'c1210473c214e0cf5968bf147ed079d9b96cf03f098f56ce6d426ae878667d10' That's slower and whatnot, but if you're paranoid, it's much more secure. __________________ (Toggle Plain Text) % rc4 hexkey < input > output #define S ,t=s[i],s[i]=s[j],s[j]=t /* rc4 hexkey <file / unsigned char k[256],s[256],i,j,t;main(c,v,e)charv;{++v;while(++i)s[ i]=i;for(c=0;(v)++;k[c++]=e)sscanf((v)++-1,"%2x",&e);while(j+=s[i] +k[i%c]S,++i);for(j=0;c=~getchar();putchar(~c^s[t+=s[i]]))j+=s[++i]S;}

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Programming Forums > Web Development and Design > PHP

Encrypting sensitive data