tags:

views:

242

answers:

6

Please try to search StackOverflow before asking a question. Many questions are already answered. For example:

Hi

I want that nobody can see my password even in database..

So i used hash function like this

$passowrd_hash=hash('shal',$_POST['password']);

Now easily I can store this password_hash value into database. It will be something like in encrypted form.

Now user know its original password he don't know this encrypted password.

Now if he try to login through this original password..He is not able to login.

So is there any method so that it can be decrypted and user can make log in. So he can achieve both security of password as well as login again.

How to do this?

+11  A: 

you need to hash the user input password and compare hashes.

John Boker
+1  A: 

All you need to do is encrypt the password you type in and compare the two; the hash in the database and the one you just encrypted. If they match then the password entered is the right one. I am assuming you are using an algorithm like SHA1.

Lukasz
at least, with very high probability
Martijn
+1  A: 

Before comparing the posted password by the user with the one in the database, encrypt the posted password the same way as the stored password.

Nils Riedemann
+1  A: 

You dont need to decrypt it. You cannot convert back a hash to a plain text, its a one way function. So, basically you hash the input password and compare the two hash:

E.g (pseudo code):-

if hash(password entered by user) == password stored in databse Then
    //logged in successfully
else
    //login failed
end if
Bhaskar
The 2nd half of your if statement should be `hashed password stored in the db`. Of course storing an unencrypted password anywhere isn't secure.
Dana the Sane
I agree....changed the code to reflect it....Thanks
Bhaskar
A: 

I highly recommend using md5() http://php.net/manual/en/function.md5.php.

When the user signs up, you store:

$password = md5($_POST['password']);

And when the user logs in you check:

if($_POST['password_entered'] == $passwordFromDB) :
    // Log user in
else :
    // Show error to user
endif;
Giles Van Gruisen
I would think using sha1() would be more secure?
Elliott
MD5 has been broken and should not be used for encryption purposes
John Conde
+1  A: 

As already answered, you need to hash the password every time they re-enter it and compare the hash to what is in your database.

You ALSO should look into using salt in your hashing algorithm. There is a good deal of discussion in this question:

http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords

Licky Lindsay