Encryption

Report · Jul 25, 2007

I use Dreamweaver MX 2004 generating a record insertion Wizard for when I want to insert a user. I have the username field in my case it is the e-mail, and the password. I would like to know how to encrypt the password when it goes into the database. I was told to use a "sha1". How do I incorporate this after Dreamweaver has generated a record insertion?

Report · Jul 26, 2007

AdonaiEchad wrote:
> I was told to use a "sha1". How do I incorporate this
> after Dreamweaver has generated a record insertion?

You don't do it after the insertion, but before. The Dreamweaver server
behavior doesn't support encryption, so you need to code it yourself.
The simplest way is to put this at the top of the user registration page:

<?php
if (isset($_POST['password'])) {
$_POST['password'] = sha1($_POST['password']);
}
?>

By putting it outside the server behavior code, the server behavior
remains fully editable through the Dreamweaver interface.

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Report · Oct 06, 2007

This is just the answer I've been looking for. However, I'm trying to use aes_encrypt with salt instead of sha. My question is how this changes the code other then using aes_encrypt in place of sha? Also, if I'm hiding the salt in a table, where do I initialize a variable that will use my salt value from the table? Thanks for your help in advance.

Mark

Report · Jul 26, 2007

On Thu, 26 Jul 2007 09:12:32 +0100, David Powers <david@example.com>
wrote:

><?php
>if (isset($_POST['password'])) {
> $_POST['password'] = sha1($_POST['password']);
> }
>?>

That is, indeed, the easiest way to handle it. However, it's worth
mentioning that the user authentication routines will also have to be
modified.

Gary

Report · Jul 26, 2007

Gary White wrote:
> That is, indeed, the easiest way to handle it. However, it's worth
> mentioning that the user authentication routines will also have to be
> modified.

Sure. Once a password has been encrypted with sha1() or md5() - both of
which handle only one-way encryption - the login form needs to compare
an encrypted version of the password submitted through the form with the
one stored in the database. So the same code also needs to be used on
the login form.

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Report · Jul 26, 2007

On Thu, 26 Jul 2007 14:13:51 +0100, David Powers <david@example.com>
wrote:

>Sure. Once a password has been encrypted with sha1() or md5() - both of
>which handle only one-way encryption - the login form needs to compare
>an encrypted version of the password submitted through the form with the
>one stored in the database. So the same code also needs to be used on
>the login form.

Exactly.

Gary

Report · Jul 26, 2007

Thank you David, it worked as far as the creating a password that is encrypted, however in the login it will not allow me to login with the password I have placed. You have mentioned I use the same code and place it in the login, where am I supposed to place it, at the top of all codes? What is my next step, Dreamweaver has created my login page and access level.

Report · Jul 26, 2007

AdonaiEchad wrote:
> where am I supposed to place it, at the top of all codes?

Yes.

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Report · Jul 27, 2007

I have done what you have asked and I still cannot login. I placed the same type of code on the login page and it will not allow me to go any further. Also, if I want to edit a user the old way I am able to see the password field, with the encryption I can see a bunch of letters and numbers which is the encryption, is there a way where it decrypt it so I can see the password since I am an administrator?

Report · Jul 27, 2007

AdonaiEchad wrote:
> I have done what you have asked and I still cannot login. I placed the same
> type of code on the login page and it will not allow me to go any further.
> Also, if I want to edit a user the old way I am able to see the password field,
> with the encryption I can see a bunch of letters and numbers which is the
> encryption, is there a way where it decrypt it so I can see the password since
> I am an administrator?

As explained before, sha1() and md5() perform one-way encryption only.
The encrypted password cannot be decrypted. The reason you cannot login
is probably because the encrypted password is being truncated when it's
stored. sha1() encrypts everything as a 40-character string, so the
column needs to be VARCHAR(40).

If you want to be able to decrypt passwords, study the MySQL manual's
page on encryption functions:

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html

Depending on the version of MySQL you're runnning, use either
ENCODE()/DECODE() or AES_ENCRYPT()/AES_DECRYPT().

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Report · Jul 27, 2007

.oO(David Powers)

>If you want to be able to decrypt passwords, study the MySQL manual's
>page on encryption functions:

But then why use encryption at all? The whole purpose of storing
password hashes is to make it as hard as possible for an attacker to
gain access. No one should be able to decrypt them, not even the server
admin. With a hash the only ways to break it are brute-force or
dictionary attacks.

Micha

Report · Jul 27, 2007

Michael Fesser wrote:
> But then why use encryption at all? The whole purpose of storing
> password hashes is to make it as hard as possible for an attacker to
> gain access.

I agree, but there are circumstances where it might be acceptable or
necessary to use two-way encryption. The choice is there. It's up to the
individual developer to decide which is best for the circumstances in hand.

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/