How to decrypt a password from database in php?

Question

I am creating a edit information page, but when i call out the data for password, it is encrypted. Is there a way i could decrypt it?

this is my codes,

 <?php require 'dbfunction.php'; $con = getDbConnect(); if (mysqli_connect_errno($con)) { "Failed to connect to MySQL: " . mysqli_connect_error(); } else { $result = mysqli_query($con, "SELECT * FROM admininfo where name = xyz"); while ($admininfo = mysqli_fetch_array($result)) { ?> <div class="container"> <div class="row"> <center> <h2>Edit Info Administrator</h2> </center> <form> <div class="form-group"> <label class="col-sm-2 control-label">Name</label> <div class="col-md-10"> <input type="text" class="form-control" value="<?php echo $admininfo['name']; ?>" name="name"> </div> </div> <div class="form-group"> <label class="col-sm-2 control-label">Password</label> <div class="col-md-10"> <input type="password" class="form-control" placeholder="<?php echo $admininfo['password']; ?>" name="password"> </div> </div> <div class="form-group"> <label class="col-sm-2 control-label">Comfirm Password</label> <div class="col-md-10"> <input type="password" class="form-control" placeholder="Confirm Password" name="confirmpassword"> </div> </div> <div class="form-group"> <div class="col-sm-10 col-sm-offset-2"> <input type="submit" value="edit account" class="btn btn-primary"> </div> </div> </form> </div> </div> <?php } mysqli_close($con); } ?> 

Currently the name is appearing, only the password is encrypted.

Answer 1

There is no way to tell, from the code you've provided, how the password is encrypted.

If it is done properly, then the password will be stored using a salt and a hashing algorithm and not any kind of reversible encryption. In that case, the answer will be "no".

You should never need to find out what a password is, only set a new one or compare a submitted one to the existing one. The latter case is handled by running the submitted password through the same hashing algorithm and comparing the two hashes.

Your admin probably shouldn't be setting a new password directly either, they should have access to a function that emails the user a one use only token that they can use to set a new password themselves.

Answer 2

This is a bad idea. Currently, you're showing $admininfo['password'] as a placeholder. This means its characters will be actually visible on the screen, even if your input is of type password. Anyone looking over your shoulder will be able to see it. Don't do this.

Passwords should be stored in the database only hashed and salted. There is a way to check whether a certain plaintext is the original password, but there is no way to decrypt the hash (other than brute force). This is done like this for obvious security reasons.

Have a look at password_hash() and password_verify() .