How to use SHA1 or MD5 encrypted in user password into MySQL table

Well, there have been a fuss around the globe regarding the user data.

And how well we had done to protect their interest on our side.

Online forum, portal.. and all sort of password-required to access.
Should really not put the password on the plaintext on MySQL table or even on the textfile.
Provided the administrator access is easily slipped.. one shouldn’t take the user password for easy viewing..

Here is some example of getting the simple “SHA1″ into user table in place..

 /* Store user details */
 $passwordHash = sha1($_POST['password']);
 $sql = 'INSERT INTO user (username,passwordHash) VALUES (?,?)';
 $result = $db->query($sql, array($_POST['username'], $passwordHash));

or

  $query = sprintf("INSERT INTO USER ( username,passwordHash) VALUES ('%s','%s' )",
    mysql_real_escape_string($_POST['username']),
    sha1(mysql_real_escape_string($_POST['password'] )) );
   // Perform SQL Query
 $result = mysql_query($query);

.. so it got something like this is user table ..

For login form..

      $userid =  mysql_escape_string($_REQUEST['login_id']);
      $userpassword = sha1($_REQUEST['password']);
      # here do whatever u need to auth.
      # check for matching user id and password in local database
      $processor = new DatabaseClassName();
      $processor->login($userid,$userpassword);

and somewhere in the library or whatsoever..

  DatabaseClassName  {
  function DatabaseClassName () {
    session_start ();
  }
  function do_login ($user,$password) {
      $sqlstatement = sprintf ( "SELECT count(*) AS UserCount FROM user_table ".
        "WHERE username = '%s' AND ".
        "pw='%s'",$user,$password);
      $sqlq = mysql_query($sqlstatement,$db);
      $users = mysql_fetch_array( $sqlq,MYSQL_ASSOC);
      $result = $users['UserCount'];

      if ( $users['UserCount'] == 1) {
        $this->logged_in ($user);
      };
      return ($result == 1);
   }

 function logged_in ($user) {
  $_SESSION['id'] = $user;
  $_SESSION['ip']  = $_SERVER['REMOTE_ADDRESS'];
  $_SESSION['timeout'] = time()  + 10;
 }

 function logout () {
  $_SESSION= array();
  session_unset();
  session_destroy ();
 }
}

…Hmm..

For md5.. just need to changed “sha1″ to “md5″..

      $userpassword = sha1($_REQUEST['password']);

to

      $userpassword = md5($_REQUEST['password']);

** update..
if want to use SHA-256

  $userpassword = sha256($_REQUEST['password']);

but if using SHA-256 .. you might have to calculate the hash by yourself before adding it via phpMyAdmin interface..
as the function there only up to MD5 and SHA1.i think.

.. can also add some noise.. or salt.. and whatever craps to it.. to make it harder.. a bit.

it might be still be spoofed/ sniffed by ip address or browser and all..
but at least.. it should not leave the user password in plaintext format somewhere in server itself..

Further read up.. Web Auth[pdf].

p/s : just my two cents ..

Related posts: