How to use SHA1 or MD5 encrypted in user password into MySQL table

Posted Under:

Well, there have been a fuss around the globe regarding the user data.
And how well we had done to protect their interest on our side.

Online forum, portal.. and all sort of password-required to access.
Should really not put the password on the plaintext on MySQL table or even on the textfile.
Provided the administrator access is easily slipped.. one shouldn’t take the user password for easy viewing..

Here is some example of getting the simple “SHA1” into user table in place..

 /* Store user details */
 $passwordHash = sha1($_POST['password']);
 $sql = 'INSERT INTO user (username,passwordHash) VALUES (?,?)';
 $result = $db->query($sql, array($_POST['username'], $passwordHash));

or 

  $query = sprintf("INSERT INTO USER ( username,passwordHash) VALUES ('%s','%s' )",
    mysql_real_escape_string($_POST['username']),
    sha1(mysql_real_escape_string($_POST['password'] )) );
   // Perform SQL Query
 $result = mysql_query($query);


[ad#postad] .. so it got something like this is user table ..
sql-user-table

For login form..

      $userid =  mysql_escape_string($_REQUEST['login_id']);
      $userpassword = sha1($_REQUEST['password']);
      # here do whatever u need to auth.
      # check for matching user id and password in local database
      $processor = new DatabaseClassName();
      $processor->login($userid,$userpassword);

and somewhere in the library or whatsoever.. 

  DatabaseClassName  {
  function DatabaseClassName () {
    session_start ();
  }
  function do_login ($user,$password) {
      $sqlstatement = sprintf ( "SELECT count(*) AS UserCount FROM user_table ".
        "WHERE username = '%s' AND ".
        "pw='%s'",$user,$password);
      $sqlq = mysql_query($sqlstatement,$db);
      $users = mysql_fetch_array( $sqlq,MYSQL_ASSOC);
      $result = $users['UserCount'];

      if ( $users['UserCount'] == 1) {
        $this->logged_in ($user);
      };
      return ($result == 1);
   }

 function logged_in ($user) {
  $_SESSION['id'] = $user;
  $_SESSION['ip']  = $_SERVER['REMOTE_ADDRESS'];
  $_SESSION['timeout'] = time()  + 10;
 }

 function logout () {
  $_SESSION= array();
  session_unset();
  session_destroy ();
 }
}
[ad#postad] …Hmm..

For md5.. just need to changed “sha1” to “md5”..

      $userpassword = sha1($_REQUEST['password']);

to 

      $userpassword = md5($_REQUEST['password']);

** update..
if want to use SHA-256

  $userpassword = sha256($_REQUEST['password']);

but if using SHA-256 .. you might have to calculate the hash by yourself before adding it via phpMyAdmin interface..
as the function there only up to MD5 and SHA1.i think.
function-in-phpmyadmin-sha1

.. can also add some noise.. or salt.. and whatever craps to it.. to make it harder.. a bit.

it might be still be spoofed/ sniffed by ip address or browser and all..
but at least.. it should not leave the user password in plaintext format somewhere in server itself..

Further read up.. Web Auth[pdf].

p/s : just my two cents ..

Tags , , ,

Related Post

2 Responses

  1. Patrick says:

    I was just curious as to what you use for your desktop OS? Is it primarily CentOS or Ubuntu? I’m considering CentOS but I haven’t seen many articles about really using it for a workstation.

    Reply
  2. owen says:

    Did you get further into GWT?

    Btw GWT is just javascript compiled via Java’s JRE, and the produced code is simply javascript. So if you want to code JS the most professional way – like IDE dev support, step debugging, and unit tests – use GWT.

    For me, I just love java. C# had a great future but Microsoft managed to screw it up somehow.

    Reply

Leave a Reply to Stotti Cancel reply

Your email address will not be published. Required fields are marked *