Browsing articles tagged with " md5"
MySQL, PHP
Feb 3, 2009
Jesse Mazur
No Comments

password encryption

introduction
ive worked on a lot of programs and websites that involve requiring the user to login in order to gain access and it occurred to me that there is a useful bit of information that i can share from these experiences. what i am referring to is the encryption process to protect the password of the user. more often than not i use an encryption method called md5. happens to have a built in function that will convert any string into an md5 quite easily. combine that with a login/signup form and a database to store it in, and you’re well on your way to a secure login system.

md5
md5 (message-digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. as an internet standard (rcf 1321), md5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. an md5 hash is typically expressed as a 32 digit hexadecimal number. for example, the md5 of the word ‘the’ would be ’8fc42c6ddf9966db3b09e84365034357′

the code
as i already stated, in php there is a predefined function to convert a string into an md5 hash. its quite simple actually: md5("the"); would be the method used to return the hash stated above. let’s say you created a signup form that looked something like the following:

<form name="signup" method="post" action="">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" name="submit" value="Login" />
</form>

once the user clicks submit php can be used to process the information and store it in a database to be recalled later (assuming we already have a ):

<?php
if ($_POST) {
	$username = $_POST["username"];
	$password = md5($_POST["password"]);

	$sql = "INSERT INTO users (username, password)
		VALUES ('$username','$password')";
	$result = mysql_query($sql);
}
?>

notice that i encrypt the password before storing it into the database. this way if anyone ever gets access to your database, they’ll have a rather difficult time deciphering what the passwords are. to login to the software a similar form would be used however this time, after converting the entered password to an md5 we would do a look up to see if the users exists and if the password is correct:

<?php
if ($_POST) {
	$username = $_POST["username"];
	$password = md5($_POST["password"]);

	$sql = "SELECT * FROM users WHERE username = '$username'";
	$result = mysql_query($sql);

	// make sure there is a user with this username
	if (mysql_num_rows($result) == 0) {
		$msg = "No Such User!";
	// there is a user, now check the password
	} elseif ($password != $row["password"]) {
		$msg = "Incorrect Password!";
	} else {
		$msg = "Logged In";

		// set the user to logged in
		$_SESSION["logged_in"] = true;
	}
}
?>

and there you have it
this is a good way to protect the information between users as well as reassure them that their login information is encrypted. md5 is not the be-all-end-all for encryption methods, and while difficult, it is possible to reverse engineer the hashes, but it is certainly a great first line of defense when creating password protected logins.