• home
  • forum
  • my
  • kt
  • download
    • Home / Web Design & Development / PHP / User Authentication /

    Encrypting passwords using PHP

    Author: 2008-08-16 09:03:45 From:

    When creating a membership based site security is paramount - especially if you're dealing with personal information. When it comes to passwords you'll want to encrypt them wherever they are stored so they can't be stolen. Here are a few things you can do to make your passwords as safe as possible.

    It doesn't matter where you're storing your passwords, typically it will be in a database table however it could be somewhere else. The theory about encrypting the passwords themselves remains the same. Let's imagine you have a registration form on your website that a user has filled out. One of the fields is a password field called 'passw'

    Tip: As another level of security I like to call any password related fields in forms and my databases anything other that 'password' so its more difficult to guess them - its not much but it helps!

    sha1 encryption
    PHP's sha1 function creates a hash from the value you give to it. This is a one way encryption method that turns the entered password into a seemingly random series of characters. Let's use it to start encrypting our password:

    $encrypted = sha1($_POST['passw']);

    Now the '$encrypted' variable contains our hash based on the password that's been entered. We can now store this value in our database table.

    Handling log-ins
    Now you have encrypted passwords stored in your database you need a way of checking the passwords when a user logs into your site. To do this you simply need to perform the same encryption on a password entered into the log in form and compare the resulting hash to the one stored in the database for that user.

    $encrypted = sha1($_POST['passw']);
    if ( $database_row['pass'] == $encrypted ) {
       $login_success = 1;
    }

    If they match perform any login actions you need to, as you would normally.

    Forgotten passwords
    It is common to include a forgotten password feature accompanying your login form. By encrypting your passwords in this way you are unable to remind users of their password - a sacrifice made in the name of a more secure website. All is not lost however, rather than reminding them of their password an alternative is to generate a new one for them, have a look at my random password generation article for ideas on how to do this.

    I hope you've found this article interesting, if you have any comments or views on encrypting passwords or indeed website security, don't hesitate to post a comment.

    discuss this topic to forum

    [Print][Close][Bookmark:digg+,reddit+,del.icio.us+,dzone+]

    relation tutorial

    No relevant information

    Category

      Ad Management (4)
      Calendars (3)
      Chat Systems (7)
      Content Management (6)
      Cookies and Sessions (8)
      Counters (8)
      Database Related (8)
      Date and Time (9)
      Development (6)
      Discussion Boards (7)
      E Commerce (6)
      Email Systems (9)
      Error Handling (5)
      File Manipulation (10)
      Flash and PHP (4)
      Form Processing (7)
      Guestbooks (8)
      Image Manipulation (3)
      Installing PHP (5)
      Introduction to PHP (9)
      Link Indexing (6)
      Mailing List Management (8)
      Miscellaneous (10)
      Networking (6)
      News Publishing (6)
      OOP (8)
      PEAR (6)
      PHP vs Other Languages (2)
      Polls and Voting (5)
      Postcards (0)
      Randomizing (8)
      Redirection (8)
      Searching (6)
      Security (6)
      Site Navigation (7)
      User Authentication (14)
      WAP and WML (7)
      Web Fetching (8)
      Web Traffic Analysis (15)
      XML and PHP (16)

    New

    Hot

    JCWcn.com
    Copyright © 2007 All rights reserved