CODEWITHSUNDEEP
phpmysqlencryption
Vikrant
Vikrant

Reputation: 23

How to decrypt password in mysql

Going straightly to my question, I have read about encrypting password while registering the user.Till here im able to register users with encrypted password by using PASSWORD('$PASS'); where $PASS is the users password. My sql table details is as follows :- 

FNAME
LNAME
EMAIL
PASS // USED ENCRYPTION AS PASSWORD('$PASS'); HERE.

I can't understand how to decrypt the password & use futher in my code i use the following code to use decrypt the password but its not working. !

<?php
$EMAIL = $_POST['email'];
$PASS = $_POST['pass'];

mysql_connect('host', 'user', 'pass');
mysql_select_db('userdb');
$results = mysql_query(sprintf("SELECT FNAME,LNAME,EMAIL,PASS FROM `details`
WHERE PASS=PASSWORD('$PASS')", 
mysql_real_escape_string($EMAIL))) or die(mysql_error()); 
while($row = mysql_fetch_assoc($results))
{$rows[1] = $row;} 
if(!($_COOKIE['pass'] == $rows[1][PASS])) 
//cookie is set while registering user , which is the decrypted(original) value of password.
{ die("Error occured"); } 
else { echo "Password entered is correct"; }

 ////.....my further code here.
  ?>

Its showing Error occured on the page, which means the password is incorrect. I Also add that this code was working correctly before encryption of password in database.Im new to encryption process ,Your little help is needed which will help me to learn more. Thanks in advance.

Upvotes: 1

Views: 24915

Answers (4)

user28864
user28864

Reputation: 3463

Click here for a more comprehensive way of protecting your passwords and login access using PHP and MYSQL

Upvotes: 0

Rich Bradshaw
Rich Bradshaw

Reputation: 73045

You don't encrypt passwords, you hash them.

The point is, that you don't actually need the users password, you just need to know that they know it.

As an example, an absolutely terrible way to do that might be a simple count: e.g.

if the users password was 'horse123', you might store that as 8. Then you just count the letters in the password, and if it's 8, you know it's right.

That means that you never need to know the actual password.

Clearly that's awful, as there are many passwords with 8 characters! We need something with less 'collisions'.

Instead, we use one way hash functions. The most common way to do this is to use an MD5 hash. (it's not the best, but it's simple to explain). For how to actually do this, look at http://www.openwall.com/phpass/.

For the short and sweet version:

Get the users password, and do something like:

$pass = md5('somerandomtextthatyouknow'.$_POST['password']);

then, store that in your DB.

When they log in, you do the same again, and check that the hash in your DB.

This way, you never need to know the actual passwords, the passwords can be as long as you like, and if your database is stolen, the hashes are not useful to anyone (because we added in that random text).

So, now you understand that, read:

http://www.openwall.com/phpass/

and absolutely read up on SQL injection and SQL prepared statements, else this is all a bit pointless!

Upvotes: 5

Sunil Kumar
Sunil Kumar

Reputation: 1391

Best solution is to use HASH code instead of using encryption and decryption.

md5($pass) - give you 32 bits unique hash code

similarly sha256(), hash()...etc

store these hash codes in your database at the place of password.

Hash code are one way. So it is more secure for your users.

Upvotes: 0

Sawny
Sawny

Reputation: 1423

You shouldn't encrypt passwords. You should hash them. This way they can't be decrypted.

You can read more about it here.

Upvotes: 1

Related Questions