How to use SHA1 or MD5 encrypted in user password into MySQL table

Well, there have been a fuss around the globe regarding the user data.
And how well we had done to protect their interest on our side.

Online forum, portal.. and all sort of password-required to access.
Should really not put the password on the plaintext on MySQL table or even on the textfile.
Provided the administrator access is easily slipped.. one shouldn’t take the user password for easy viewing..

Here is some example of getting the simple “SHA1” into user table in place..

 /* Store user details */
 $passwordHash = sha1($_POST['password']);
 $sql = 'INSERT INTO user (username,passwordHash) VALUES (?,?)';
 $result = $db->query($sql, array($_POST['username'], $passwordHash));

or

  $query = sprintf("INSERT INTO USER ( username,passwordHash) VALUES ('%s','%s' )",
    mysql_real_escape_string($_POST['username']),
    sha1(mysql_real_escape_string($_POST['password'] )) );
   // Perform SQL Query
 $result = mysql_query($query);


[ad#postad] .. so it got something like this is user table ..
sql-user-table

For login form..

      $userid =  mysql_escape_string($_REQUEST['login_id']);
      $userpassword = sha1($_REQUEST['password']);
      # here do whatever u need to auth.
      # check for matching user id and password in local database
      $processor = new DatabaseClassName();
      $processor->login($userid,$userpassword);

and somewhere in the library or whatsoever..

  DatabaseClassName  {
  function DatabaseClassName () {
    session_start ();
  }
  function do_login ($user,$password) {
      $sqlstatement = sprintf ( "SELECT count(*) AS UserCount FROM user_table ".
        "WHERE username = '%s' AND ".
        "pw='%s'",$user,$password);
      $sqlq = mysql_query($sqlstatement,$db);
      $users = mysql_fetch_array( $sqlq,MYSQL_ASSOC);
      $result = $users['UserCount'];

      if ( $users['UserCount'] == 1) {
        $this->logged_in ($user);
      };
      return ($result == 1);
   }

 function logged_in ($user) {
  $_SESSION['id'] = $user;
  $_SESSION['ip']  = $_SERVER['REMOTE_ADDRESS'];
  $_SESSION['timeout'] = time()  + 10;
 }

 function logout () {
  $_SESSION= array();
  session_unset();
  session_destroy ();
 }
}
[ad#postad] …Hmm..

For md5.. just need to changed “sha1” to “md5”..

      $userpassword = sha1($_REQUEST['password']);

to

      $userpassword = md5($_REQUEST['password']);

** update..
if want to use SHA-256

  $userpassword = sha256($_REQUEST['password']);

but if using SHA-256 .. you might have to calculate the hash by yourself before adding it via phpMyAdmin interface..
as the function there only up to MD5 and SHA1.i think.
function-in-phpmyadmin-sha1

.. can also add some noise.. or salt.. and whatever craps to it.. to make it harder.. a bit.

it might be still be spoofed/ sniffed by ip address or browser and all..
but at least.. it should not leave the user password in plaintext format somewhere in server itself..

Further read up.. Web Auth[pdf].

p/s : just my two cents ..

Get Free Email Updates!

Signup now and receive an email once I publish new content.

I will never give away, trade or sell your email address. You can unsubscribe at any time.

Like

Related Post

3 Responses

  1. casiemec says:

    This rather good idea is necessary just by the way

    Reply
  2. TheN2S says:

    I was wondering if I can use this for my wordpress 2.9.2 site. I simply want to mirror/sync/backup all my newly UPLOADED files to a new BACKUP website. (I don’t want to wait for the cron job to kick in)

    Reply
  3. Madelyn Monoz says:

    I love what you guys are up too. Such clever work and exposure! Keep up the good works guys I’ve added you guys to blogroll.

    Reply

Anything to add?

X