stackoom
  简体   繁体   中英

How to make my PHP files call the password from the database properly?

 原文  2014-02-08 02:05:46       php/ mysql/ encryption

Question

I am currently working on a website, it has a sign up PHP file that sends data to a database. For security measures, I set up a password encryption file that encrypts the password that the user enters, so that it is impossible to find in the database. Unfortunately, when the user tries to connect to the database from the log in PHP file, it denies them access to log in because the code connects to the database passwords, but it doesn't "sanitize" the password from it's encryption code, and the password isn't recognized by the server. I will provide my codes below:

Signup.php 

$p = $_POST['p'];    
$cryptpass = crypt($p);
include_once ("php_includes/randStrGen.php");
$p_hash = randStrGen(20)."$cryptpass".randStrGen(20);

Login.PHP 

$p = md5($_POST['p']);

How do I change the Login.PHP line provided above so that it sanitizes the password from it's encryption value to the password the user actually knows and entered in the first place?

ps $p= The Password that the user enters

3 answers

solution1
 1  2014-02-08 02:36:17

Ok, so once you get the password from the user you will want to encrypt it when inserting into your database. This requires an extra piece of data that is called "salt". Salt is unique and you decide what you want it to be. But you will need it to encrypt and decrypt so it's important you do not lose it! I keep it in its own file and use an include whenever I need it. The following is PHP 

 $key_salt = 'lettersandnumbers';

Now for the password encrypting Say you have the username and password in variables like so... 

 $user_id = "usersId";
 $password = "usersPassword";

This is the way to put them into the database... Create a variable with the following data 

 $insertdata = sprintf("INSERT INTO $table (user_id, password,) VALUES ('%s', AES_ENCRYPT('%s', '$key_salt'))", $user_id, $password);
 mysql_query($insertdata);

Notice the AES_ENCRYPT('%s', '$key_salt') This is what is making the encryption and see how it uses the $key_salt along with the '%s' (which is the $password )

The combination of these makes it nearly impossible to crack

This will decrypt the password and put it into a variable then you can do what you want with it after that.... 

 $results = mysql_query("
    SELECT AES_DECRYPT(password, '$key_salt') as password FROM $table where AES_DECRYPT(password, '$key_salt')='$password'");
 $row = mysql_fetch_array($results);
 $decryptedpassword = $row['password'];

solution2
 1 ACCPTED  2014-02-08 03:34:02

I'm going to add a second answer here, which is more of a safe guard when it comes to any user input you get that will be inserted or drawn from a database. When you MySql you want to sanitize any user input to prevent database injection which is the easiest way to break into a database.

Here is a great sanitation script. Start by making a separate PHP file and copy/paste this code into it. 

<?php
// Sanitize User Input
function sanitize($data){

    // apply stripslashes if magic_quotes_gpc is enabled
    if(get_magic_quotes_gpc()){ 
        $data = stripslashes($data);
    }
    // a mySQL connection is required before using this function
    $data = mysql_real_escape_string($data); 

    return $data;
}
?>

Now include this page on any page that you will be interacting with the db 

 <?php require("sanitize.php"); ?>

Note: Before calling the function you must already be connected to your db IE: mysql_connect("mysql",$mysqlusername,$mysqlpassword);

From here on out it is very simple. Say you assign a variable from a post like so 

 $password = $_POST["password"];

To sanitize this input you would do this 

 $password = sanitize($password);

This helps prevent MySql injections by removing certain characters relevant to modifying or revealing database information.

Hope this helps!

solution3
 0  2014-02-08 02:16:29

Do not concatenate crypted password with random characters unless you save them also in database, otherwise - you will never be able to compare user input with saved encrypted password. Just use: 

$p_hash = $cryptpass;

and in Login.php script do not use md5($_POST['p']); which is different hashing method, but use also crypt() function: 

$p = crypt($_POST['p']);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to make PHP code check if inserted current password is correct password from MySQL database How to ReHash a password stored into my Database ? (PHP) How to make my PHP output two values from database How to decrypt a password from database in php? How do you make a button go to a specific page after validating the Username and Password from the Database in PHP how to properly call jquery function from php? How to properly call Python 3 script from PHP? How can I fix my php being unable to fetch a username and password from a mySQL database? How to make mysql and php work together and without show the database password PHP/Server Side: How to properly conceal database credentials files
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM