Encrypt Password Database

Discussion in 'PHP' started by poblo10, Oct 14, 2010.

0
  1. #1
    So just trying something out, trying to change a list of passwords to md5 but also keeping the plaintext passwords.

    So the way I want this to work is
    for it to encrypt all the plaintext passwords in the database with md5
    then submit the encrypted password into the same column as the plain text.
    
include('./inc/connect.php');
$get = mysql_query("SELECT * FROM user");
while ($row = mysql_fetch_assoc($get))
{
    $pass = $row['pass'];
    $md5 = md5($pass);

    mysql_query("INSERT INTO users (md5) VALUES ('$md5') WHERE pass='$pass'") or die(mysql_error());
}
?>
    PHP:
     
    poblo10, Oct 14, 2010 IP
  2. SamT

    SamT Peon

    Messages:
    43
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #2
    INSERT statements will create a new row. Use update.

    Another approach is to use something like phpass (http://www.openwall.com/phpass/), which is built to secure your users' passwords. It is used in phpBB3, Wordpress, and a few other projects. If a hack-er (why is this censored?) gets access to your database, they can easily break MD5 passwords by simply looking them up in rainbow tables.

    Open up the archive, and put PasswordHash.php in a place where your PHP script can access it. Look at the test.php if you want some further examples.

    <?php

include('./inc/connect.php');
include('PasswordHash.php');

$hasher = new PasswordHash(8, true);

$result = mysql_query("SELECT * FROM user");

$count = 0;
while ($row = mysql_fetch_assoc($result))
{
	$password = mysql_real_escape_string($hasher->HashPassword($row['pass']));
    mysql_query("UPDATE users SET password = '$password' WHERE username = '{$row['username']}'") or die(mysql_error();

	$count++;
}

echo "$count Rows updated.";
    PHP:
    Make sure to change "username" to whatever the username is, or use a user_id if you have one, it will allow the queries to run faster (looking up an int is much faster than a string).

    Also, remove that md5 column, and make a new one called "password". Test the script before running on your live DB (this is VERY important), ensure all the data was converted, and run it on your live. Once you are happy with the results (and all the passwords are successfully hashed), remove the "pass" column once and for all.

    To now check to see if they enter the correct password, use this code:
    include('PasswordHash.php');
$hasher = new PasswordHash(8, true);

$password_entered = $_POST['password'];
$username_entered = $_POST['username'];

$username_escaped = mysql_real_escape_string($username_entered);

$result = mysql_query("SELECT password FROM users WHERE username = '$username_escaped'";
$row = mysql_fetch_assoc($result);

if($hasher->CheckPassword($password_entered, $row['password']))
{
    echo "User is logged in";
}
else
{
    echo "Incorrect username or password";
}
    PHP:
     
    SamT, Oct 14, 2010 IP
  3. bartolay13

    bartolay13 Active Member

    Messages:
    735
    Likes Received:
    14
    Best Answers:
    1
    Trophy Points:
    98
    #3
    just use update query. there's nothing complicated of what you want, do not use insert.

    update table set md5_column = '(select string_column from table)' .... etc... etc...
     
    bartolay13, Oct 14, 2010 IP