Simple encryption technique for MySQL using PHP

Ho开发者_运维问答w do I encrypt a user password in PHP?

Please explain in a way a beginner can understand. I already have this sample code:

$password = "john856";
$encrypt_password = md5($password);

echo $encrypt_password;

How do I incorporate it in my current code, which does not do any encryption?

<?php
    $con = mysql_connect("localhost","root","");

    if (!$con) { die('Could not connect: ' . mysql_error()); }

    mysql_select_db("koro", $con);

    $sql="INSERT INTO users
            (LNAME, FNAME, MNAME, UNAME, PW)
          VALUES
            ('$_POST[Lneym]', '$_POST[Fneym]', '$_POST[Mneym]', '$_POST[Uneym]', '$_POST[Pass]')";

    if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); }

    echo "<script>alert('User added! You can now use the system.')</script>";

    mysql_close($con)
?>

Let me start with a more important point:

You must never pass through $_POST variables directly into the query. This makes you extremely vulnerable to SQL injections.

You should at the very least least run mysql_real_escape_string() on every form value you insert:

$Lneym = $_POST["Lneym"];
$Lneym_halfway_safe = mysql_real_escape_string($Lneym);

....

$sql="INSERT INTO users 
          (LNAME, FNAME, MNAME, UNAME, PW)
        VALUES 
          ('$Lneym_halfway_safe', 

You can then also incorporate the md5() straight away:

$PW = md5($_POST["PW"]);  // no escape_string() needed here, 
                          // the md5 checksum is safe

and then insert '$PW' for the password field.

The best thing would be using a database class like PDO. Its parametrized queries feature automatically helps prevent SQL injections. Maybe this tutorial helps you.

Seeing as you are not even able to add md5() to your code (no personal criticism, we all started there once) I strongly recommend you read up on programming basics. Copy-pasting crucial security features for a web platform is horribly dangerous and is likely to end in tears.

You are practically there. Run your code:

$password=$_POST["pass"];
$encrypt_password=md5($password);

and then insert $encrypt_password into the password field in the database:

$sql="INSERT INTO users 
          (LNAME, FNAME, MNAME, UNAME, PW)
        VALUES 
          ('$_POST[Lneym]', '$_POST[Fneym]', '$_POST[Mneym]', '$_POST[Uneym]', '$encrypt_password')"; 

I should add, however, that MD5 is a hash algorithm which is a one-way process which generates a unique string on each input ("collisions aside"). You will not be able to recover the user's password, just so you know. This is however a good thing and you can still check logins - just compare md5 values.

Just use MySQL's encryption functionality.

As others have said, escape all variables:

$encrypt_password = mysql_real_escape_string(md5($_POST["pass"]));
$lastname = mysql_real_escape_string($_POST[Lneym]);
$firstname = mysql_real_escape_string($_POST[Fneym]);
$midname = mysql_real_escape_string($_POST[Mneym]);
$username = mysql_real_escape_string($_POST[Uneym]);
$sql = "INSERT INTO users
          (LNAME, FNAME, MNAME, UNAME, PW)
          VALUES
          ('$lastname', '$fistname', '$middlename', '$username', '$encrypt_password')";

Then for login:

$encrypt_password = mysql_real_escape_string(md5($_POST["pass"]))
$username = mysql_real_escape_string($_POST[Uneym]);
$sql = "SELECT LNAME, FNAME, MNAME, UNAME
        WHERE UNAME = '$username'
        AND PW = '$encrypt_password'";

As far as I know using SHA-2 is a better (more secure) way than MD5 or even SHA-1 to hash your passwords.

A while ago I used this page tutorial for my CMS, and it works really fine.

http://hungred.com/useful-information/php-better-hashing-password/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Hungredcom+%28Hungred.com%29

It's pretty coded and is secure enough to use, because it's trying to combine a private function for securing passwords.