PHP - Php Wont Encrypt Passwords

Is there an alternative way to encode url params besides:
base64_encode()

examples would be great.

Hi, for my php program running in command line (windows cmd), the user must login first, so my ques is how can they enter the password as *****
when they are typing for example?

all help appreciated.

Hi, I want to send a URL to a user with their name in it: index.php?user=tom

how can I encrypt this name so that I can track what they do but if I was hacked nobody else could determine who the user was?

Thanks

Hi all
I wonder if somebody could give me some guidance on this.

I manage a website programmed in PHP and having MySQL backend. Recently some of my clients raised concerns about the security of their data. It is not credit card information or so, however I would like to sort it out.

I have a button on the web site which the clients click to tell me that their data should now be analysed and a report sent to them. My php program pulls out the records for this particular user and writes them into an excel file on my web space(on a shared hosting). The same php program then attaches this excel file to an email and sent it to me.

I want to make sure that this data in the excel file is securely transmitted during the above process.

Any help would be much appreciated.

Carol

I'll start by apologizing for the stupid decision that led to this question.  A few years ago, I created a PHP/Myysql site with a login system and I created a field in the MySQL called "password" and it stored literally the exact password people entered (I know, I know).   The site has proven to have nice traffic potential, so I am going to re-vamp everything, including storing passwords properly (i.e. hashed).   My first question... Is there a way to convert regular text passwords to hashed passwords?  For example, I could create a new field in the "User" table for "hashedpassword" and write a script that takes all the insecure passwords and turns them into hashed passwords.  Then deleted the previous "bad" password field from the database.  This would allow me to do it without the customer every knowing anything changed.    Quick googling appears to support that it IS doable rather easily, with something like...

UPDATE mytable
SET password = MD5(password)

If not, I guess I would have to create a thing where the first time omeone logged in after I put hashing in place, the site would force them to change their password. I'd rather not annoy the visitors if it all possible.   Second question, what is the proper/recommended hashing method to use?   Some people seem to poo-poo MD5.  If you agree, should I use:   MD5 SHA MD5 with a salt SHA with a salt Something else i never heard of   NOTE:  My site is a fantasy sports site, so the data involved is not overly important.  Maybe a salt is overkill?  Or is being overly safe never a bad thing?   Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless?  I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password).  What am I missing?   Thanks! Greg
Edited by galvin, 13 November 2014 - 09:44 AM.

I'm incorporating a dynamic salt into my user system, but I'm not sure how to store the salt itself. The password is hashed and added to the database, but wouldn't you need to store the salt as plain text in the database in order to verify the login later?

Also, I've read that using both a dynamic and static salt is good practice. If this is the case, is the static salt simply defined within the PHP? Or is there another method to storing it?

Thanks for the help

Hello!

I've got an issue! I'm trying to pass a very very long variable from JS to PHP through $_GET, but it seems too long for get.

Is there any encryption function that works on both JS and PHP, so I can encrypt it in JS, send it though GET and decrypt it in PHP?

Thanks !

Can php encrypt a link so that it's hidden or expires after a download or x number of days? An example of this use would be on music download sites.

Hey guys!
I have a doubt and this is a question that relates Flash and PHP...

I have a flash (swf) file that grabs/sends variables from/to php.
That swf file is FULLY encrypted and the paths to the PHP urls are also encrypted.

Is there any other way a hacker could find out where and which my PHP files are located/named?

Any ideas, suggestions?
Thanks in advance!
Cheers,

Hey All,

I'm tryin to make a log-in system for multiple usernames and passwords, but I don't really know how many if statements i'd need for it.. I'm also a noob..


Code: [Select]
<?php

session_start();
$users = array("user1" =>"3202", "user2" =>"2002", "user3" =>"1061", "user4"=>"1400", "user5"=>"1001");

if($_REQUEST['username'] == "infs" && $_REQUEST['password'] == "3202"){

$_SESSION['username'] = "user1" ;
$_SESSION['password'] = "3202" ;

$_SESSION['username'] = "user2" ;
$_SESSION['password'] = "2002" ;

$_SESSION['username'] = "user5" ;
$_SESSION['password'] = "1001" ;

$_SESSION['username'] = "user3" ;
$_SESSION['password'] = "1061" ;

$_SESSION['username'] = "user4" ;
$_SESSION['password'] = "1400" ;
header("Location: home.php ");
}else{


 After checking if the matching username and password exist in my array then save them in a session...


What's the best way of doing it?

How can I encrypt POST data from a form? Basically, I want to ensure that the data on the form is not in plain text ever. Is this possible?

<form method="post">
<input type="text" name="email" size="40">
<input type="password" name="password"/>
...


Basically, when this posts, I want to do a foreach on $_POST and see something like:
password = 1f3870be274f6c49b3e31a0c6728957f
  and not
password = stringTheUserTyped

I hope what I'm asking for is clear.
(PHP 5.2.14)

Thanks!

Hello everyone... I am developing a software as a service program for use by multiple companies, each would have their own instance of the application... The part that I am not really to clear on, is what would be the most secure, with low latency, PHP method of encrypting/decrypting data to and from the database... all data is sent over SSL... I would also want to use a unique key for each company... Access to the program itself is protected from the outside by a user based log in system...

I am currently recoding a website from ASP to PHP.

The aim is for a customer to add items to a cart, fill in their credit card details.
Then an email is encrypted (on the secure website) and sent to the client.

The client then opens the email on her PC and it is decoded either when she opens the e-mail, or downloads an attachment that can be opened by a program
that requires a password. Once entered the order is revealed, the e-mail is decrypted.

I just wondered if anyone has any link to sites where I can download the de-crypting software to install on the clients machine.

Or any other ideas on sending an encrypting email and decrypting on the recipients computer.

Many thanks.

Hi.

I have made a login script, but I would wan't to encrypt the password.
I followed a tutorial and got this:
login.php
<?php
$password = "secret";

echo $password;
/* displays secret */

$password = sha1($password);

echo $password; 
/* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */
?>
<form action="validate.php" method="post">
  <label for="username">Username</label>
  <input type="text" name="username" id="username" />
  <br />
  <label for="password">Password</label>
  <input type="password" name="password" id="password" />
  <br />
  <input type="submit" name="submit" value="Submit" />
</form>
<?php
?>

validate.php

<?php
include "setup.php";

/* get the incoming ID and password hash */
$username=$_POST['username'];
$password=$_POST['password']; 
$password=md5($password); // Encrypted Password

/* establish a connection with the database */
$server = mysql_connect("$db_host", "$db_username","$db_password");
if (!$server) die(mysql_error());
mysql_select_db("$database");

  
/* SQL statement to query the database */
$query = "SELECT * FROM users WHERE Username = '$username' AND Password = '$password'";

/* query the database */
$result = mysql_query($query);

/* Allow access if a matching record was found, else deny access. */
if (mysql_fetch_row($result))
  echo "Access Granted: Welcome, $username!";
else
  echo "Access Denied: Invalid Credentials.";

mysql_close($server);  
?>

Its the line $password=md5($password); // Encrypted Password
that messes everything up.
If I delete it and login, everything is fine, if I add it it says Code: [Select]
Access Denied: Invalid Credentials
I need help with this one!
And if someone have time, give me some ideas how to make PHP scripts safer!

Regards
Worqy

I have an ecommerce site on shared hosting enviroment. My ecommerce site stores customer data (name, address, email, phone, and item purchase) in mySQL database.

(No super private data like credit card numbers or social security numbers.)

Using openssl (openssl_cipher, iv, etc.), I've been encrypting this customer data and storing the encrypted data in mySQL.

Today, I'm thinking "what's the point." It's like having a lockbox with the key on the wall above...

My thoughts:
1. The "secret cyphers" are located on my server, so if someone hacks my server, they'll get the secret cyphers anyway.
2. Encrypting the Customer Data will add, at the most, 5 extra minutes, for the hacker to find.
3. Perhaps if mySQL was stored on a different server, encrypting may be useful... but mySQL is on same server.
4. On the flipside, if I did get hacked, at least I could demonstrate I tried my best to encrypt what I could...

What do you all think?

Sorry for my bad english. I am not from around these parts.