PHP - Password Encryption
Hy 2 all,
I have some questions about password security that I haven't been able to find an answer yet. Hopefully you guys know. Here it goes: 1. Is it better to hash(sha2) the password and then salt it or salt it and than hash it ? 2. I'm guessing that using a random salt is better than the same salt used for every password. 3. How can you generate a different random salt for each password ? I mean how will the login page know which random salt to mix with the hashed user inserted password and then to compare it with the password stored in the db. (an example would be great(for both: generating and authentication) 4. I saw some codes in which the salt and/or hash and/or password was split into two (ex: hash.salt1a.password.salt1b or password1a.salt.password1b or salt.hash1a.password.hash1b etc.) Is this a good idea ? Is it really more secure ? If so which would be more secure (splitting the password, the hash or the salt) ? 5. Is double hashing (ex: (sha1(md5($password))) any good ? 6. I've been reading something about password salt and pepper ?? What exactly is pepper ? Is it some sort of second salt ? If somebody could enlighten me about these questions, that would be great. Thanks in advance! Similar TutorialsI am reworking some code from a password authentication I did a long long time ago. The original code is using SHA1() function to encrypt the passwords for storage in the MySQL database. Is that still considered the way to go, or should I be using a different method for encrypting the little buggers? Thanks I'm sorry if this seems like a stupid question, but I'm having trouble with this encryption and I'm a real noob at PHP. This is for a registration form going into a mysql DB for integration with a gaming server that must use a Whirlpool Salt Hash encryption. These are the variables for my form: userPassword userName userEmail This was my original encryption script (MD5) Code: [Select] $_POST['userPassword'] = md5($_POST['userPassword']); This is the function that I am given to integrate into my website system: Code: [Select] function encryptPassword($password) { $salt = substr(hash('whirlpool', uniqid(rand(), true)), 0, 12); $hash = hash('whirlpool', $salt . $password); $saltPos = (strlen($password) >= strlen($hash) ? strlen($hash) : strlen($password)); return substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos); } I've tried inserting the variable $_POST['userPassword'] in place for $password, but it gives me errors... I'm stuck here, could someone show me how to properly integrate this? I think the problem isn't getting the password into the function but catching the returned variable Sorry for my noobishnness, -Nolam EDIT: I'm also given this for the login page to check the hash. If you could help me with this it would be greatly appreciated to. Thanks!!! Code: [Select] function checkPassword($realPass, $checkPass) { //check for old encryption (md5 or whirlpool) if (strlen($realPass) == 32 || strlen($realPass) == 128) { $hash = (strlen($realPass) == 32 ? md5($checkPass) : hash('whirlpool', $checkPass)); if ($realPass == $hash) { // change password to new encryption? return true; } else return false; } // xAuth 2 encryption $saltPos = (strlen($checkPass) >= strlen($realPass) ? strlen($realPass) : strlen($checkPass)); // extract salt $salt = substr($realPass, $saltPos, 12); $hash = hash('whirlpool', $salt . $checkPass); return substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos) == $realPass; } (Main Objective) I need this login class to encrypt the password before it sends it to the database for login verification. (Alternative Solution) Force a login with just the username and captcha no password.. This is the original working script.. <? session_start(); include "config.php"; global $c; include "data.php"; global $config; require('funciones.php'); if ($_POST['username']) { session_start(); if($_POST['code']!=$_SESSION['string']){ header("Location: login.php?error=1"); } //Comprobacion del envio del nombre de usuario y password $username=uc($_POST['username']); $password=uc($_POST['password']); if ($password==NULL) { header("Location: login.php?error=2"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); if(mysql_num_rows($query) == 0) { header("Location: login.php?error=3"); } else { $data = mysql_fetch_array($query); if($data['password'] != $password) { header("Location: login.php?error=4"); }else{ $query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error()); $row = mysql_fetch_array($query); $nicke=$row['username']; $passe=$row['password']; //90 day cookie setcookie("usNick",$nicke,time()+7776000); setcookie("usPass",$passe,time()+7776000); $lastlogdate=time(); $lastip = getRealIP(); $querybt = "UPDATE tb_users SET lastlogdate='$lastlogdate', lastiplog='$lastip' WHERE username='$nicke'"; mysql_query($querybt) or die(mysql_error()); header("Location: members.php"); // echo "Has sido logueado correctamente ".$_SESSION['s_username']." y puedes acceder al index.php."; // echo "<script>location.href='index.php';</script>"; ?> <META HTTP-EQUIV="REFRESH" CONTENT="0;URL=members.php"> <? } } } } ?> <div class="heading">Login</div><br /> <? if($_GET['error'] == 1) { print "<b>Error</b> - Wrong Captcha Code<br /><br/>"; } if($_GET['error'] == 2) { print "<b>Error</b> - Please supply a password<br /><br/>"; } if($_GET['error'] == 3) { print "<b>Error</b> - Invalid Username<br><br>"; } if($_GET['error'] == 4) { print "<b>Error</b> - Invalid Password<br /><br />"; } ?> <form action="login.php" method="post"> <table> <tr> <td class="midtext">Username:</td> <td> <input type="text" name="username" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext">Password:</td> <td> <input type="password" name="password" size="25" class="form" autocomplete="off"></td> </tr> <tr> <td class="midtext" valign="top">Security Code:</td> <td class="midtext"> <img src="image.php" onclick="this.src='image.php?newtime=' + (new Date()).getTime();">(Click to reload)<br /> <input type="text" name="code" size="17" maxlength="17" autocomplete="off" class="form"></td> </tr> <tr> <td></td> <td align="right"> <input type="submit" value="Login" name="loginsubmit" class="form"></td> </tr> </table> </form> Let me know if you need any files... hi im testing out my site and basically when users register their passwords and encrypted for security obs however when i go to test the login with the exact same password as the one used to register the system detects it as invalid when its not, I've literally copy pasted the password so that i was sure it was the same therefore the issue is within the encryption does anyone have an idea how to overcome this I've tested changed names of variables but nothing seems to help I've even got an error reporting function but no error is detected
<?php error_reporting(E_ALL); include_once("conninfo2.php"); if(isset($_POST['username']) && trim($_POST['username']) != ""){ $username = strip_tags($_POST['username']); $password = $_POST['password']; $hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt')); $stmt1 = $db->prepare("SELECT usersid, password FROM login WHERE username=:username AND activated='1' LIMIT 1"); $stmt1->bindValue(':username',$username,PDO::PARAM_STR); try{ $stmt1->execute(); $count = $stmt1->rowCount(); if($count > 0){ while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){ $uid = $row['usersid']; $hash = $row['password']; } if (crypt($hmac, $hash) === $hash) { $db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1"); $_SESSION['uid'] = $uid; $_SESSION['username'] = $username; $_SESSION['password'] = $hash; setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE); setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE); setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE); echo 'Valid password<br />'.$_SESSION['uid'].'<br />'.$_SESSION['username'].'<br />'.$_SESSION['password'].' <br />'.$_COOKIE['usersid']; /*header("location: index.php");*/ exit(); } else { echo 'Invalid password Press back and try again<br />'; exit(); } } else{ echo "A user with that email address does not exist here"; $db = null; exit(); } } catch(PDOException $e){ echo $e->getMessage(); $db = null; exit(); } } ?> Hello Everyone, I have built a simple registration form shown below and Iam trying to get the users to have their passwords encrypted and then entered into my database. I am attempting to use md5 encryption. I have also attached the database connection script. My goal is when I check my database, I want to see the following: ( id, name, username, encrypted password ) The issue I have is that the form does not process completely. All I get this error (Error: Unknown column 'd8578edf8458ce06fbc5bb76a58c5ca4' in 'field list' ). Could some tell me or show me " What is it that needs to be corrected either in my Code or SQL insert and /or my Variables" to make this work correctly. I know that its probably a very, very simple fix... Im just stuck at this point. I really appreciate your help. thanks, mrjap1 Code: [Select] <?php error_reporting(0); if($_POST['submit']) { //Begining of full IF Statment $name = $_POST['name']; $username = $_POST['username']; $password = $_POST['password']; $confirm_password = $_POST['confirm_password']; // Encrypt Pasword $enc_password = md5($password); //$enc_password2 = md5($confirm_password); // Confirm All feild were filled out when submit button was pressed if($name && $username && $password && $confirm_password) { // Confirm that the NAME that you used is NOT greater than 30 characters if(strlen($name)>24) { echo "<h2><center>YOUR NAME IS TOO LONG!!!!</center></h2><br>"; } // Confirm that the USERNAME that you used is NOT greater than 10 characters if(strlen($username)>10) { echo "<h2><center>YOUR USERNAME IS TOO LONG!!!!</center></h2><br>"; } else { // Confirm that the PASSWORD that you used MATCH & Between 6 and 15 characters if(strlen($password)>10 || strlen($password)<6) { echo "<h2><center>YOUR PASSWORD MUST BE BETWEEN 6 and 15 CHARACTERS!!!!</center></h2><br>"; } if($password == $confirm_password) { // Database Connection required require "db_conncect.php"; // We Now connect to the Dabase and insert the Form input details //------- ### ENTERING ALL INFORMATION INTO THE DATABASE BELOW ### --------// // 1. Create a database connection $con = mysql_connect("localhost","root",""); // <-- THIS IS WHERE YOU " CAN CHANGE " THE USERNAME IS "root", PASSWORD IS "" ONLY. if (!$con) { die('Database connection failed could not connect: ' . mysql_error()); } // 2. Select a database to use $db_select = mysql_select_db("registernow_2012",$con); // <-- THE "registernow_2012" IS THE NAME OF THE DATABASE. if (!$db_select) { die('Database selection failed could not connect: ' . mysql_error()); } mysql_select_db("registernow_2012", $con); // <-- THE "registernow_2012" IS THE NAME OF THE DATABASE TO BE CONNECTED. // <-- THE `registernow_2012` IS THE NAME OF THE DATABASE TO BE CONNECTED.... `visitors` IS THE TABLE WITH ALL THE FIELDS WITHI IN THE DATABASE. $sql="INSERT INTO `registernow_2012`.`users` ( `id` , `name` , `username` , `$enc_password` , `confirm_password` ) VALUES ( NULL , '$_POST[name]', '$_POST[username]', '[$enc_password]', '$_POST[confirm_password]' )"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } // 3. Close Connection mysql_close($con); header("Location: index.php"); // <-- THIS IS WHERE YOU CAN CHANGE THE "Location: Thank you / Index page" of the THANK YOU PAGE. } else { echo "<h2><center>PASSWORDS MUST MATCH!!!!!</center></h2><br>"; } } //echo "<h2><center>WORKING!!!!</center></h2>"; } else echo "<h2><center>ALL FEILDS MUST BE COMPLETED</center></h2>"; } //Ending of full IF Statment ?> <!DOCTYPE html> <html lang='en'> <head> <title>THE FORM MY WAY NOW</title> </head> <div id='centerstage'> <form name="myform" action="workingitoutproperly.php" method="POST"> <p> <label>Name</label><br> <input type='text' name='name' value=''><br> <label>UserName</label><br> <input type='text' name='username' value=''><br> <label>Password</label><br> <input type='password' name='password' value=''><br> <label>Re-Enter Password</label><br> <input type='password' name='confirm_password' value=''><br> <br> <input type='submit' name='submit' value='REGISTER NOW!!'> </p> </form> </div> </html> I don't know if my password encrytion has been done correctly / is actually secure. I don't have anything valuable at the moment that people would care to hack, but in the future I want to be absolutely certain I am doing it right.
This is my process, I am storing it as Varchar(255), did a cost test and 9 was my result
$hash = password_hash($passsword, PASSWORD_BCRYPT, array("cost"=>9));I was told I don't need a salt since it is included in the password_hash function Also I noticed most of the hashes if not all start like this, why is that? $2y$09$Thanks for any help Edited by moose-en-a-gant, 08 January 2015 - 01:51 PM. Hello PhP Freaks forum In the past weeks ive been trying to make a website, where you can register. Everything seems to work except my cherished Change password feature. Everytime you try to change the password, it just resets it to nothing. Here is the code below. <?php if(isset($_SESSION['username'])) { $username = $_SESSION['username']; $lastname = $_SESSION['lastname']; $firstname = $_SESSION['firstname']; $email = $_SESSION['email']; echo " <h4>Options for:</h4> $username <br /> <br /> First name: $firstname <br />Last name: $lastname <br /><br /><h3>Want to change your password:</h3><br /> <form action='?do=option' method='post'> Old password <input type='password' placeholder='Has to be between 5-15 digits' name='password' size='30' value='' /><br /> <br /> New Password<input type='password' placeholder='Has to be between 5-15 digits' name='newpass' size='30' value='' /><br /> <br /> Confirm new password <input type='password' placeholder='Has to be between 5-15 digits' name='passconf' size='30' value='' /><br /> <center></div><input type='submit' value='Submit'/></center></form>"; }else{ echo 'Please login to view your options!'; } $password = $_REQUEST['password']; $pass_conf = $_REQUEST['newpass']; $email = $_REQUEST['passconf']; $connect = mysql_connect("Host", "User", "Password"); if(!$connect){ die(mysql_error()); } //Selecting database $select_db = mysql_select_db("My Database", $connect); if(!$select_db){ die(mysql_error()); } //Find if entered data is correct $result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $row = mysql_fetch_array($result); $id = $row['id']; mysql_query("UPDATE users SET password='$newpass' WHERE username='$user'") ?> And i do know that i dont have a if(Empty($newpass)){ Die(Please fill out the new password) } Or any security on the others, but the problem just seems that it resets the password into nothing Hope i can get this fixed Best Regards William Pfaffe <?php
require_once('upper.php'); require_once('database.php'); echo $error_msg=''; if(isset($_POST['submit'])) { $LoginId=mysqli_real_escape_string($dbc,trim($_POST['LoginId'])); $Password1=mysqli_real_escape_string($dbc,trim($_POST['Password1'])); $Password2=mysqli_real_escape_string($dbc,trim($_POST['Password2'])); $Name=mysqli_real_escape_string($dbc,trim($_POST['Name'])); $Age=mysqli_real_escape_string($dbc,trim($_POST['Age'])); $BloodGroup=mysqli_real_escape_string($dbc,trim($_POST['BloodGroup'])); if(!isset($_POST['Sex'])) { echo 'Please enter Sex<br>'; } else{ $Sex= mysqli_real_escape_string($dbc,trim($_POST['Sex'])); } $Qualification=mysqli_real_escape_string($dbc,trim($_POST['Qualification'])); $ContactNumber=mysqli_real_escape_string($dbc,trim($_POST['ContactNumber'])); $Email=mysqli_real_escape_string($dbc,trim($_POST['Email'])); $Address=mysqli_real_escape_string($dbc,trim($_POST['Address'])); $AboutYourself=mysqli_real_escape_string($dbc,trim($_POST['AboutYourself'])); //$countCheck=count($_POST['checkbox']); //echo $countCheck; //$checkbox=$_POST['checkbox']; //$countCheck=count($checkbox); if(empty($LoginId)){echo 'Please enter Login Id';} elseif(empty($Password1)){echo 'Please enter Password';} elseif(empty($Password2)){echo 'Please confirm Password';} elseif($Password1!==$Password2){echo 'Password didn\'t match';} elseif(empty($Name)){echo 'Please enter Name';} elseif(empty($Age)){echo 'Please enter Age';} elseif(!isset($_POST['Sex'])){} elseif(empty($Qualification)){echo 'Please enter Qualification';} elseif(empty($ContactNumber)){echo 'Please enter Contact Number';} elseif(empty($Email)){echo 'Please enter Email';} elseif(empty($Address)){echo 'Please enter Address';} elseif(empty($AboutYourself)){echo 'Please enter About Yourself';} elseif(!isset($_POST['checkbox'])){ echo 'You have to register at least one activity.';} elseif(!isset($_POST['TermsAndConditions'])){ echo 'You have to agree all Terms and Conditions of Elite Brigade.';} else { require_once('database.php'); $query="select * from registration where LoginId='$LoginId'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0) { $checkbox=$_POST['checkbox']; $countCheck=count($_POST['checkbox']); $reg_id=' '; for($i=0;$i<$countCheck;$i++) { $reg_id=$reg_id.$checkbox[$i].','; $query="insert into activity_participation (LoginId,Title,Date) values ('$LoginId','$checkbox[$i]',CURDATE())"; $result=mysqli_query($dbc,$query) or die("Not Connected"); } $query="insert into registration (LoginId,Password,Name,Age,BloodGroup,Sex,Qualification,ContactNumber,Email,Address,AboutYourself,Activity)values ('$LoginId'[B],SHA('$Password1'),[/B]'$Name','$Age','$BloodGroup','$Sex','$Qualification','$ContactNumber','$Email','$Address','$AboutYourself',',$reg_id')"; $result=mysqli_query($dbc,$query) or die("Not Connect"); echo ' Dear '.$Name.'.<br>Your request has been mailed to admin.<br>Your account is waiting for approval<br>'; $from= 'Elite Brigade'; $to='ankitp@rsquareonline.com'; $subject='New User Registration'; $message="Dear admin,\n\nA new user request for registration. Please check it out.\n\nRegards\nMicro"; mail($to,$subject,$message,'From:'.$from); //header('Location: index.php'); // header('Location: Registration.php'); } else { echo 'Dear '.$Name. ', <br> An account already exist with login-id<b> '.$LoginId.'</b> <br>Please try another login-id'; }} } ?> <html> <head> <script src="jquery-latest.js"></script> <script type="text/javascript" src="jquery-validate.js"></script> <style type="text/css"> * { font-family: Verdana; } label.error { color: white; padding-left: .5em; } p { clear: both; } .submit { margin-left: 12em; } em { font-weight: bold; padding-right: 1em; vertical-align: top; } </style> <script> $(document).ready(function(){ $("#commentForm").validate(); }); </script> </head> <body> <?php echo $error_msg; ?> <form action='<?php echo $_SERVER['PHP_SELF'];?>' id="commentForm" method='post'> <div class="registration_and_activity"> <table border="0" width="380"> <tr><td colspan="2"> <h3>New User?</h3></td></tr> <tr><td width="120"> <em>*</em>Enter Login id</td><td width="150"><input type='text' name='LoginId' minlength="4" value='<?php if(!empty($LoginId))echo $LoginId;?>' /></td></tr> <tr><td> <em>*</em>Enter Password</td> <td><head> <div id="divMayus" style="visibility:hidden">Caps Lock is on.</div> <SCRIPT language=Javascript> function capLock(e){ kc = e.keyCode?e.keyCode:e.which; sk = e.shiftKey?e.shiftKey:((kc == 16)?true:false); if(((kc >= 65 && kc <= 90) && !sk)||((kc >= 97 && kc <= 122) && sk)) document.getElementById('divMayus').style.visibility = 'visible'; else document.getElementById('divMayus').style.visibility = 'hidden'; } </SCRIPT> </HEAD> <input onkeypress='return capLock(event)' type='password' name='Password1' value='<?php if(!empty($Password1))echo $Password1;?>' /></td></tr> <tr><td> <em>*</em>Confirm Password</td><td><input type='password' name='Password2' value='<?php if(!empty($Password2))echo $Password2;?>' /></td></tr> <tr><td width="120"> <em>*</em>Enter Name</td> <td><input type='text' name='Name' value='<?php if(!empty($Name))echo $Name;?>' /></td></tr> <tr><td> <em>*</em>Enter Age</td><HEAD> <SCRIPT language=Javascript> function isNumberKey(evt) { var charCode = (evt.which) ? evt.which : event.keyCode if (charCode > 31 && (charCode < 48 || charCode > 57)) return false; return true; } </SCRIPT> </HEAD> <td><INPUT onkeypress='return isNumberKey(event)' type='text' name='Age' value='<?php if(!empty($Age))echo $Age;?>'/></td></tr> <tr><td> <em>*</em>Enter Blood</td><td><input type='text' name='BloodGroup' value='<?php if(!empty($BloodGroup))echo $BloodGroup;?>' /></td></tr> <tr><td> <em>*</em>Enter Sex</td><td><input type='radio' name='Sex' style='width:16px; border:0;' 'value='Male' />Male <input type='radio' name='Sex' style='width:16px; border:0;' 'value='Female' />Female</td></tr> <tr><td> <em>*</em>Enter Qualification</td><td><input type='text' name='Qualification' value='<?php if(!empty($Qualification))echo $Qualification;?>' /></td></tr> <tr><td> <em>*</em>Contact Number </td><td><input onkeypress='return isNumberKey(event)'type='text' name='ContactNumber' value='<?php if(!empty($ContactNumber))echo $ContactNumber;?>' /></td></tr> <tr><td> <em>*</em>Enter Email</td><td><input type='text' name='Email'class="email" value='<?php if(!empty($Email))echo $Email;?>' /></td></tr> <tr><td> <em>*</em>Enter Address</td><td><input type='text' name='Address' value='<?php if(!empty($Address))echo $Address;?>' /></td></tr> <tr ><td > <em>*</em>About Yourself </td></tr> <tr><td colspan="2"><textarea rows='10' cols='40' name='AboutYourself' /><?php if(!empty($Address))echo $Address;?></textarea></td></tr> <tr><td> <?php echo" <tr><td colspan='2'><em>*</em><b>Select fields for which you want to register</b></td></tr>"; require_once('database.php'); $query="select * from activity"; $result=mysqli_query($dbc,$query); while($row=mysqli_fetch_array($result)){ $Title=$row['Title']; $ActivityId=$row['ActivityId']; echo "<tr><td>$Title</td>"; echo "<td><input type='checkbox' name='checkbox[]' value='$Title' style='width:14px; text-align:right;'/></td></tr>";//value=$ActivityId tells ActivityId variable extracts with name="checkbox" echo "<br/>"; } echo "<td><em>*</em><input type='checkbox' name='TermsAndConditions' style='width:14px; text-align:right;'/></td><td> I agree all <a href='TermsAndConditions.php'>Terms and conditions </a>of Elite Brigade</td></tr>"; echo "<tr><td colspan='2' align='center'><input type='submit' value='Register' name='submit' style='background:url(./images/button_img2.png) no-repeat 10px 0px; width:100px; padding:3px 0 10px 0; color:#FEFBC4; border:0;'/></td></tr><br>"; echo " </td></tr></table> </div> </form> </body> </html>"; require_once('lower.php'); ?> Hi Friends .... I encrypt user password by SHA('$Password') method but now i want to add "Forget Password Module" for which I need to decrypt it first before tell my user but I don't Know how to decrypt it. Please help me........ This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=353345.0 Hi Guys
I am fairly new to php, I am trying to build a registration form but I am struggling with encrypting the password (I will also be salting the password at a later stage to make it more secure).
The below line of code encrypts the password but saves the values as the values states in the code e.g password saves as 'pass'
$q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('first_name','last_name','email', SHA1('pass'), NOW())";
The below code saves all the values that the user inputs xcept the password which is blank and the message 'Undefined index: SHA1('pass')' is returned
$q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('".$_POST["first_name"]."','".$_POST["last_name"]."','".$_POST["email"]."','".$_POST["SHA1('pass')"]."', NOW())";
I am hoping someone may be able to help me as I have no idea how to fix this. Thank you in advance
I seen the sticky but that didn't have my answer and no place I go is really answering my core question. This just doesn't make sense in my brain, how is using md5 safe. What if someone got say an encrypted pass. The code md5 uses is available to anyone, no? So if they got a hold of it how is it not as easily cracked as it is encrypted. Someone please explain this to me lol, it's like a thorn in my brain. Hi Guys,
First off, not sure if this is the correct area to post. My question is a little bit mixed, including SQL and PHP.
I'm building a basic private messaging system, and planned to use PHP, SQL for the storage, and a little bit of JS on the client. I'm a little confused when it comes to encryption though. My understanding with user password encryption is that the password is stored in the database as a hash, and then a user sent password is compared to the original hash for verification. I've implemented this successfully using password_verify() and password_hash() functions, and I'm pretty sure it's working fine.
However, my big question is in regards to the storage of message data. As far as I can tell, this system won't work, it's really only suitable for password verification because the hash can't really be reverted to the original data, it can only be compared? How should I go about encrypting message data? Is it possible? If I open up a SQL database containing private message data on a server, I don't want to be able to read the contents.
Any help would be greatly appreciated!
Hi guys, i'm new to this forum, and a junior php guy.
i need to encrypt a google address like this:
https://redirector.g...=web&cver=html5
i use picasa for my client to store car video etc to show and i want embed in iframe with a jwplayer that i'm customizing.
i see some sample that transform a address like this https://redirector.g...=web&cver=html5 in something like this --> http:\/\/r20---googlevideo.com\/picasa\/redirect.php?encrypt=0f10fd0fd0f90c30b80b80fb0ee0ed0f20fb0ee0ec0fd0f80fb0b70f00f80f80f00f50ee0ff0f20ed0ee0f80b70ec0f80f60b80ff0f20ed0ee0f80f90f50ea1020eb0ea0ec0f40c80f20ed0c60bc0bc0bc0be0c00bb0c00c00c10ed0bf0ed0ee0b90bb0bb0af0f20fd0ea0f00c60bb0bb0af0fc0f80fe0fb0ec0ee0c60f90f20ec0ea0fc0ea0af0ec0f60f80c60fc0ee0f70fc0f20fd0f20ff0ee0e80ec0f80f70fd0ee0f70fd0ae0bc0cd1020ee0fc0af0f20f90c60b90b70b90b70b90b70b90af0f20...etc etc...
i see that there is a redirect.php?encrypt=....... how i can do that?
Thanks in advance 'cause frankly speaking i don't know also what i must search on google.
I am looking for a way to encrypt a string using PKCS7. I have seen openssl_pkcs7_encrypt() but this involves the creation of temporary files which I don't really need. Is there a way to do this? Dear All respective friend, I'm asking for help. during I know how to code in php. I alway use md5() but I had some problem with abit. can anyone introduce me with persona code encryption without using md5()? Your ideal are very important to me especially small example code. Looking forward from you soon. Kindly Regards, Steve. I would like to add md5 encryption into the create and login functions but I'm having difficulties with the process. user.php - create user and login functions Code: [Select] <?php function create_user($params) { db_connect_posts(); $query = sprintf("INSERT INTO users SET users.screen_name = '%s', users.user_email = '%s', users.user_pwd = '%s', users.image = '%s', created_at = NOW()" , mysql_real_escape_string($params['screen_name']), mysql_real_escape_string($params['user_email']), mysql_real_escape_string($params['user_pwd']), mysql_real_escape_string($params['image']) ); $result = mysql_query($query); if(!$result) { return false; } else { return true; } } function login($username, $password) { db_connect_posts(); $query = sprintf("SELECT * FROM users WHERE user_email = '%s' AND user_pwd = '%s'" , mysql_real_escape_string($username), mysql_real_escape_string($password) ); $result = mysql_query($query); $number_of_posts = mysql_num_rows($result); if($number_of_posts == 0) { return false; } $row = mysql_fetch_array($result); $_SESSION['user'] = $row; return true; } ?> Register form: Code: [Select] <form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/signup" method="post"> <fieldset> <legend>Register</legend> <div> <label>Screen Name</label> <input name="user[screen_name]" size="40" type="text" /> </div> <div> <label>E-mail</label> <input name="user[user_email]" size="40" type="text" /> </div> <div> <label>Password</label> <input name="user[user_pwd]" size="40" type="password" /> </div> <div> <label>Image</label> <input name="user[image]" size="40" type="text" /> </div> <input type="submit" name="Register" value="Register" /> </fieldset> </form> Login form: Code: [Select] <form action="<?php echo '/'.APP_ROOT.'/'; ?>sessions/login_user" method="post"> <fieldset> <legend>Login</legend> <div> <label>E-mail</label> <input name="user[user_email]" size="40" type="text" /> </div> <div> <label>Password</label> <input name="user[user_pwd]" size="40" type="password" /> </div> <input type="submit" value="Login" /> </fieldset> </form> Hey, I'm a bit stuck. I'm looking for a simple yet secure way to encrypt a string (not hash, I need to retrieve it later) so that I can store legally sensitive data which I need to use again later. I am aware that any kind of reversable data is by nature not properly secure, but it's not my decision. I'd rather see if there's a pre-built function or class for this rather than just writing my own, which wouldn't be too good Thanks in Advance Gareth Is there any tutorial or book where i can learn about how to do the encryption?? thanks in advance I am trying to decrypt a code encrypted with XTEA. I have been using a script found here, http://goo.gl/xCpgs and it works within its own encrypt/decrypt example. The problem is that it will not decrypt a code given to me by my client. In the code examples description it says the "key" is 16 characters, but the key I have from my client is 32 characters so I think this may be part of the problem, but I cannot find out in the code how to make it work with a 32 char key (if that is even the issue). Below is the class from the link above and below that are sample encrypt and decrypt strings. If anyone can provide help or a better solution, it is greatly appreciated. My guess is that it is only allowing 16 of my 32 char key. I tried to use a 32 char key, but the code still seemed to only want 16. Help! I also read something about XTEA only working within the same code language each side of the crypt was made. Can anyone validate this? Code: [Select] <?php /* PHP Implementation of XTEA (www.php-einfach.de) * * XTEA was designed in 1997 by David Wheeler and Roger Needham * of the Cambridge Computer Laboratory. * It is not subject to any patents. * * It is a 64-bit Feistel cipher, consisting of 64 rounds. * XTA has a key length of 128 bits. * * * *********************** * Diese Implementierung darf frei verwendet werden, der Autor uebernimmt keine * Haftung fuer die Richtigkeit, Fehlerfreiheit oder die Funktionsfaehigkeit dieses Scripts. * Benutzung auf eigene Gefahr. * * Ueber einen Link auf www.php-einfach.de wuerden wir uns freuen. * * ************************ * Usage: * * include("xtea.class.php"); * * $xtea = new XTEA("secret Key"); * $cipher = $xtea->Encrypt("Hello World"); //Encrypts 'Hello World' * $plain = $xtea->Decrypt($cipher); //Decrypts the cipher text * * echo $plain; * */ class XTEA { //Private var $key; // CBC or ECB Mode // normaly, CBC Mode would be the right choice var $cbc = 1; function XTEA($key) { $this->key_setup($key); } //encrypt function encrypt($text) { $n = strlen($text); if($n%8 != 0) $lng = ($n+(8-($n%8))); else $lng = 0; $text = str_pad($text, $lng, ' '); $text = $this->_str2long($text); //Initialization vector: IV if($this->cbc == 1) { $cipher[0][0] = time(); $cipher[0][1] = (double)microtime()*1000000; } $a = 1; for($i = 0; $i<count($text); $i+=2) { if($this->cbc == 1) { //$text with last ciphertext XOR //$text is XORed with the previous ciphertext $text[$i] ^= $cipher[$a-1][0]; $text[$i+1] ^= $cipher[$a-1][1]; } $cipher[] = $this->block_encrypt($text[$i],$text[$i+1]); $a++; } $output = ""; for($i = 0; $i<count($cipher); $i++) { $output .= $this->_long2str($cipher[$i][0]); $output .= $this->_long2str($cipher[$i][1]); } return base64_encode($output); } //decipher function decrypt($text) { $plain = array(); $cipher = $this->_str2long(base64_decode($text)); if($this->cbc == 1) $i = 2; //Message start at second block else $i = 0; //Message start at first block for($i; $i<count($cipher); $i+=2) { $return = $this->block_decrypt($cipher[$i],$cipher[$i+1]); //Xor Linkage of $return and ciphertext from the last two blocks or sections //XORed $return with the previous ciphertext if($this->cbc == 1) $plain[] = array($return[0]^$cipher[$i-2],$return[1]^$cipher[$i-1]); else //EBC Mode $plain[] = $return; } for($i = 0; $i<count($plain); $i++) { $output .= $this->_long2str($plain[$i][0]); $output .= $this->_long2str($plain[$i][1]); } return $output; } //Prepare the key to decrypt ver / front function key_setup($key) { if(is_array($key)) $this->key = $key; else if(isset($key) && !empty($key)) $this->key = $this->_str2long(str_pad($key, 16, $key)); else $this->key = array(0,0,0,0); } //Performs a benchmark function benchmark($length=1000) { //1000 Byte String $string = str_pad("", $length, "text"); //Key-Setup $start1 = time() + (double)microtime(); $xtea = new XTEA("key"); $end1 = time() + (double)microtime(); //Encryption $start2 = time() + (double)microtime(); $xtea->Encrypt($string); $end2 = time() + (double)microtime(); echo "Encrypting ".$length." bytes: ".round($end2-$start2,2)." seconds (".round($length/($end2-$start2),2)." bytes/second)<br>"; } //verify the correct implementation of the blowfish algorithm function check_implementation() { $xtea = new XTEA(""); $vectors = array( array(array(0x00000000,0x00000000,0x00000000,0x00000000), array(0x41414141,0x41414141), array(0xed23375a,0x821a8c2d)), array(array(0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f), array(0x41424344,0x45464748), array(0x497df3d0,0x72612cb5)), ); //Correct implementation? $correct = true; //Test vectors, see http://www.schneier.com/code/vectors.txt foreach($vectors AS $vector) { $key = $vector[0]; $plain = $vector[1]; $cipher = $vector[2]; $xtea->key_setup($key); $return = $xtea->block_encrypt($vector[1][0],$vector[1][1]); if((int)$return[0] != (int)$cipher[0] || (int)$return[1] != (int)$cipher[1]) $correct = false; } return $correct; } /*********************************** Some internal functions ***********************************/ function block_encrypt($y, $z) { $sum=0; $delta=0x9e3779b9; /* start cycle */ for ($i=0; $i<32; $i++) { $y = $this->_add($y, $this->_add($z << 4 ^ $this->_rshift($z, 5), $z) ^ $this-> _add($sum, $this->key[$sum & 3])); $sum = $this->_add($sum, $delta); $z = $this->_add($z, $this->_add($y << 4 ^ $this->_rshift($y, 5), $y) ^ $this->_add($sum, $this->key[$this->_rshift($sum, 11) & 3])); } /* end cycle */ $v[0]=$y; $v[1]=$z; return array($y,$z); } function block_decrypt($y, $z) { $delta=0x9e3779b9; $sum=0xC6EF3720; $n=32; /* start cycle */ for ($i=0; $i<32; $i++) { $z = $this->_add($z, -($this->_add($y << 4 ^ $this->_rshift($y, 5), $y) ^ $this->_add($sum, $this->key[$this->_rshift($sum, 11) & 3]))); $sum = $this->_add($sum, -$delta); $y = $this->_add($y, -($this->_add($z << 4 ^ $this->_rshift($z, 5), $z) ^ $this->_add($sum, $this->key[$sum & 3]))); } /* end cycle */ return array($y,$z); } function _rshift($integer, $n) { // convert to 32 bits if (0xffffffff < $integer || -0xffffffff > $integer) { $integer = fmod($integer, 0xffffffff + 1); } // convert to unsigned integer if (0x7fffffff < $integer) { $integer -= 0xffffffff + 1.0; } elseif (-0x80000000 > $integer) { $integer += 0xffffffff + 1.0; } // do right shift if (0 > $integer) { $integer &= 0x7fffffff; // remove sign bit before shift $integer >>= $n; // right shift $integer |= 1 << (31 - $n); // set shifted sign bit } else { $integer >>= $n; // use normal right shift } return $integer; } function _add($i1, $i2) { $result = 0.0; foreach (func_get_args() as $value) { // remove sign if necessary if (0.0 > $value) { $value -= 1.0 + 0xffffffff; } $result += $value; } // convert to 32 bits if (0xffffffff < $result || -0xffffffff > $result) { $result = fmod($result, 0xffffffff + 1); } // convert to signed integer if (0x7fffffff < $result) { $result -= 0xffffffff + 1.0; } elseif (-0x80000000 > $result) { $result += 0xffffffff + 1.0; } return $result; } //Einen Text in Longzahlen umwandeln //Covert a string into longinteger function _str2long($data) { $n = strlen($data); $tmp = unpack('N*', $data); $data_long = array(); $j = 0; foreach ($tmp as $value) $data_long[$j++] = $value; return $data_long; } //Longzahlen in Text umwandeln //Convert a longinteger into a string function _long2str($l){ return pack('N', $l); } } ?> |