Thread: PHP form password with MD5
View Single Post
Old 03-12-2009, 04:20 PM   #2 (permalink)
CrazeD
CrazeD's Avatar
 
Wizard Techie

Join Date: Feb 2006

Location: Maine

Posts: 3,686

CrazeD will become famous soon enough

Send a message via AIM to CrazeD Send a message via MSN to CrazeD
Default Re: PHP form password with MD5
PHP Code:
<?php

$con mysql_connect("localhost","user","password1234");

if(!$con)
    {
    die('Could not connect: ' mysql_error());
    }

$password md5($_POST["password"]);
    
mysql_select_db("database"$con);

$sql "INSERT INTO members (id,username, password)
VALUES ('".$_POST["username"]."','".$password."')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' mysql_error());
  }
echo "1 record added";

mysql_close($con);

?>
This should work. However, this is very insecure as you didn't even protect against SQL injection. Also, MD5 is old and has been cracked, it's no longer a good choice for encryption. At the very least, encrypt with the SHA1 function. If you really want security, use a salt too. A salt is a randomly generated string that is encrypted into the password. So, even if a hacker got the password hash, they would have to figure out your salt and your algorithm. And even that wouldn't help them, because it'd be nearly impossible to crack.

So, what you need to do is add a salt column to your MySQL table, and then use this script that I have revised for you:

PHP Code:
<?php

function createSalt($length='')
{
    $salt substr(sha1(md5(uniqid(rand(), true))), 0$length);

    return $salt;
}

function getPassHash($password='',$salt='')
{
    $passhash sha1 (md5(sha1($password) . md5($salt)));

    return $passhash;
}


$con mysql_connect("localhost","user","password1234");

if(!$con)
    {
    die('Could not connect: ' mysql_error());
    }

$username mysql_escape_string ($_POST['username']);
$password mysql_escape_string ($_POST['password']);

$salt createSalt();
$passhash getPassHash($password,$salt);
    
mysql_select_db("database"$con);

$sql "INSERT INTO members (id,username, password, password_salt)
VALUES ('".$username."','".$passhash."', '".$salt."')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' mysql_error());
  }
echo "1 record added";

mysql_close($con);

?>
This script will protect against SQL injection, as well as make a very secure password with a salt. When you want to authenticate a login, just repeat the algorithm like I did and match the passhash.

Hope that helps.
__________________

Need website help? PM me!
CrazeD is offline