0

I have been reading php manual and i need to encrypt passwords for users on my site. The thing is i
do

$password =md5($password)

and store it in the database
what about when they want to signin.
they enter their password but it won't be the same as the one in the db because i have md5ied it.
How do i undo the md5 so they can log in

6
Contributors
5
Replies
9
Views
7 Years
Discussion Span
Last Post by cwarn23
0

If you md5 a string, it can't be "un-md5'ed".

What you can do is the following:
When someone registers, you md5() or sha1() their password, like you did above.

When they login, you md5() or sha1() the entered password, just like when they register. If the md5 or sha1 hashes match, then the password must be correct. If it doesn't match, the password must be wrong.

Hope that helps!
Chester

Here's a summary in code:

Registration:

$password = md5($password);

Login:

// Let's say $_POST["pass"] is the password they submit
// and $real_pass is the md5 from your database
if (md5($_POST["pass"] == $real_pass) {
      // Password correct
      // ........ set cookies, redirect, display page, whatever
} else {
      // Password incorrect
      // ........ redirect, show error, blah blah
}

Edited by gizgiz: n/a

0

you have to make an md5 again for the password so that it will match your password stored in your database

0

I have been reading php manual and i need to encrypt passwords for users on my site. The thing is i
do

$password =md5($password)

and store it in the database
what about when they want to signin.
they enter their password but it won't be the same as the one in the db because i have md5ied it.
How do i undo the md5 so they can log in

MD5 is actually one of the coolest functions out there in my opinion. The cool thing is that if I md5 let's say, your name.
md5(tunde011);
It's going to come up with some crazy hash with number and letters and maybe underscores and dashes, some random looking string. The cool thing is that every time I md5 that string, the result is going to be the same. So if I take md5("password") and compare it to md5("password"), I can verify that it is the correct password. This is actually used in other areas too, like determining if a specific version of a file is the same as the file that you current have. You can get md5 hashes of images or anything that is text based and determine if two versions are exactly the same.

0

In some way I would disagree with gizgiz, because MD5 hash can be unhashed, for example, by using http://www.md5-online.com/ project.

If security is primar - I would suggest using salt. Even better, if there is unique salt value for every user.

0

In some way I would disagree with gizgiz, because MD5 hash can be unhashed, for example, by using http://www.md5-online.com/ project.

If security is primar - I would suggest using salt. Even better, if there is unique salt value for every user.

Agreed and perhaps this function is the best hashing function of them all.

function truehash($hashzzz) {
return hash('sha256',substr(hash('whirlpool',$hashzzz),3,-3));
}

With the above function, there is no way that anybody can use any current brute force data available on the internet to reverse it and because it uses 2 hash functions it uses twice the cpu to brute force it. Also with the substr function, even if the whirlpool and sha256 functions are cracked via algorithm, the substr would make it impossible to even then reverse it.

As for how to use this hash function you simply insert into the users database their password as a hash (eg. truehash();) and use the following example to check if the user has valid details.

<?php
$user = 'bill gates';
$password='3.14159265';
//above are what would normally be $_POST variables
function truehash($hashzzz) {
return hash('sha256',substr(hash('whirlpool',$hashzzz),3,-3));
}
$r=mysql_query('SELECT * FROM users WHERE user="'.mysql_real_escape_string($user).'" AND password="'.truehash($password).'"');
if (mysql_num_rows($r)>0) {
echo 'user is in the database';
} else {
echo 'Access denied!';
}
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.