simple encryption technique for mysql using php

Question

How to encrypt user password in php. please explain in a way a beginner can understand. I already have this sample code:

$password="john856";
$encrypt_password=md5($password);

echo $encrypt_password; 

Can you help me incorporate it in my current code, which does not do any encryption.

<?php 
  $con = mysql_connect("localhost","root","");

  if (!$con) { die('Could not connect: ' . mysql_error()); }

  mysql_select_db("koro", $con);

  $sql="INSERT INTO users 
          (LNAME, FNAME, MNAME, UNAME, PW)
        VALUES 
          ('$_POST[Lneym]', '$_POST[Fneym]', '$_POST[Mneym]', '$_POST[Uneym]', '$_POST[Pass]')"; 

  if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); }

  echo "<script>alert('User Added!You can now use the system')</script>";

  mysql_close($con)
?>

Answer 1

Just use MySQL's encryption functionality.

Answer 2

Let me start with a more important point:

You must never pass through $_POST variables directly into the query. This makes you extremely vulnerable to SQL injections.

You should at the very least least run mysql_real_escape_string() on every form value you insert:

$Lneym = $_POST["Lneym"];
$Lneym_halfway_safe = mysql_real_escape_string($Lneym);

....

$sql="INSERT INTO users 
          (LNAME, FNAME, MNAME, UNAME, PW)
        VALUES 
          ('$Lneym_halfway_safe', 

You can then also incorporate the md5() straight away:

$PW = md5($_POST["PW"]);  // no escape_string() needed here, 
                          // the md5 checksum is safe

and then insert '$PW' for the password field.

The best thing would be using a database class like PDO. Its parametrized queries feature automatically helps prevent SQL injections. Maybe this tutorial helps you.

Seeing as you are not even able to add md5() to your code (no personal criticism, we all started there once) I strongly recommend you read up on programming basics. Copy-pasting crucial security features for a web platform is horribly dangerous and is likely to end in tears.

Answer 3

You are practically there. Run your code:

$password=$_POST["pass"];
$encrypt_password=md5($password);

and then insert $encrypt_password into the password field in the database:

$sql="INSERT INTO users 
          (LNAME, FNAME, MNAME, UNAME, PW)
        VALUES 
          ('$_POST[Lneym]', '$_POST[Fneym]', '$_POST[Mneym]', '$_POST[Uneym]', '$encrypt_password')"; 

I should add, however, that MD5 is a hash algorithm which is a one-way process which generates a unique string on each input ("collisions aside"). You will not be able to recover the user's password, just so you know. This is however a good thing and you can still check logins - just compare md5 values.

Answer 4

As other have said escape all variable.

$encrypt_password=mysql_real_escape_string(md5($_POST["pass"])); 
$lastname=mysql_real_escape_string($_POST[Lneym]);
$firstname=mysql_real_escape_string($_POST[Fneym]);
$midname=mysql_real_escape_string($_POST[Mneym]);
$username=mysql_real_escape_string($_POST[Uneym]);
$sql="INSERT INTO users 
          (LNAME, FNAME, MNAME, UNAME, PW)
        VALUES 
          ('$lastname', '$fistname', '$middlename', '$username', '$encrypt_password')"; 

Then for login

 $encrypt_password=mysql_real_escape_string(md5($_POST["pass"]))
 $username=mysql_real_escape_string($_POST[Uneym]);
$sql = "SELECT LNAME, FNAME, MNAME, UNAME
WHERE UNAME = '$username'
AND   PW = '$encrypt_password'";

Answer 5

as far as i know using SHA-2 is better ( more secure ) than md5 or even SHA-1 way to hash ur passwords

while ago i used this page tutorial for my CMS and works really fine

http://hungred.com/useful-information/php-better-hashing-password/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Hungredcom+%28Hungred.com%29

it's pretty coded and secure enough to use

because its trying to combine a private function for securing passwords