PHP - Encrypting Passwords
advertisement
PHP- Encrypting Passwords
When developing a password-protected web site, store user passwords securely. Storing passwords
as plain text strings creates security and privacy issues.
An unauthorised user may somehow gain access to a database, e.g. by being told the database
password by a friend
Administrators may have access to databases. They could see a table of passwords. Even
administrators may not want to know people’s passwords.
Users often use the same passwords for different sites, so seeing a password can compromise
other sites.
A recent news item (eBay, 2014) informed users to change their passwords as the database had been
compromised, and users who use the same password for different sites were putting their other
accounts at risk.
MD5 (Message Digest Algorithm 5)
A popular approach is to encrypt database passwords using Message-Digest Algorithm 5 (MD5).
e.g.
Password (unencrypted)
Password (encrypted using MD5)
admin
21232f297a57a5a743894a0e4a801fc3
MD5 encryption is a one-way hashing algorithm, from which it is nearly impossible to determine
the original text:
it is impossible to revert back from an encrypted output to the initial, plain-text input
any given input always maps to the same encrypted value.
passwords cannot be deciphered, even if a user gains access to a database table.
No method is 100% fail safe. MD5 still requires a strong password to prevent a brute force
attack revealing it. Whilst MD5 is quick to use and gives a higher level of protection to passwords it
will not withstand attack from the most advanced hackers.
Create an encrypted password
Create a script using the md5
function to create the encrypted
text for a password (e.g. “admin”)
<?php
$password = md5("admin");
echo $password;
?>
Set up a database table with
usernames and md5 passwords
Copy and paste md5 password, e.g.
21232f297a57a5a743894a0e4a801f
c3 into a database, so you have a
username, e.g. “admin” and an md5
password
Create a web page to test user login and password
Example script (database name, table name, etc. can be adapted) :
<html>
<head>
<title>MD5 Password Login</title>
</head>
<body>
<?php
$con=mysqli_connect("localhost","root","","simpledata_dw");
//check BOTH username and password are not blank
if (isset($_POST["username"]) && isset($_POST["password"]) &&
$_POST['username']!="" && $_POST['password']!="")
{
//Check username and password against database username and password
$username = $_POST["username"]; //Username may be "admin"
$password = md5($_POST["password"]); //Password may be "admin"
$result = mysqli_query($con,"select * from users where username='$username'");
$row = mysqli_fetch_array($result);
if($row['password_md5'] == $password)
{
echo "Welcome, ".$row["username"];
?>
<!-- Display main page -->
<?php
}
else
{
header("location: ".$_SERVER['PHP_SELF']); //reload the page
}
}
else
{
?>
<form method="post" action="<?php $_SERVER["PHP_SELF"]?>">
<table border="1" >
<tr>
<td>Username</td>
<td><input type="text" name="username" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td><input name="password" type="password" id="password"></input></td>
</tr>
<tr>
<td><input type="submit" value="Submit"/>
<td><input type="reset" value="Reset"/>
</tr>
</table>
</form>
<?php
}
mysqli_close($con);
?>
</body>
</html>
Successful Login
Register Username and Password
Example web page to enable a new user to enter a username and a
password. The password is encrypted and stored with username .
<?php
//Check to see if all the form boxes have been entered
if
(!empty($_POST['username']) &&
!empty($_POST['password']) &&
!empty($_POST['password2']) )
{
$username = $_POST['username'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
if($password != $password2)
{
header("location: ".$_SERVER['PHP_SELF']);
exit();
}
if(strlen($username) > 10)
{
header("location: ".$_SERVER['PHP_SELF']);
}
if ($password == $password2)
{
$password_md5 = md5($password);
$con = mysqli_connect('localhost','root','','simpledata_dw');
//sanitize username
$username = mysqli_real_escape_string($con, $username);
$query = "INSERT INTO users (username, password_md5 ) VALUES
( '$username', '$password_md5' )";
//connect to database, run query
mysqli_query($con, $query);
//close database
mysqli_close($con);
echo "registation complete";
}
}
?>
<html>
<head><title>Register with encypted password</title>
</head>
<body>
<form name="register" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
<table width="510" border="0">
<tr>
<td colspan="2"><p><strong>Registration Form</strong></p></td>
</tr>
<tr>
<td>Username:</td>
<td><input type="text" name="username" maxlength="20" /></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password" /></td>
</tr>
<tr>
<td>Confirm Password:</td>
<td><input type="password" name="password2" /></td>
</tr>
<tr>
<td>&nbsp;</td>
<td><input type="submit" value="register" />
<input name="form_response" type="text" style="border:none; color:red;" value="" size="60"
readonly></td>
</tr>
</table>
</form>
</body>
</html>
