Issue with encrypting password

Question

I have this issue with password encryption, now, I use md5.. i know it's not the safest but anyways.

I have this code:

$import="INSERT into users(Username,Password,Email,first_name,last_name,phone,user_id) values('$data[0]','md5($data[1]).','$data[2]','$data[3]','$data[4]','$data[5]','$data[6]')";

Now, this posts in the database the value like it is: I mean i.e

md5(A101)

How can I solve this?

***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Feb 28 '18 at 17:30
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Feb 28 '18 at 17:30

score 2 · Answer 1 · answered Sep 11 '12 at 13:21

$import="INSERT into users(Username,Password,Email,first_name,last_name,phone,user_id) 
       values('$data[0]','".md5($data[1])."','$data[2]','$data[3]','$data[4]','$data[5]','$data[6]')";

this should work.

You can't do something like this $str = "$str1"; with function calls, so you must do something like this: $str = "'" . md5($str1) . "'"

score 2 · Accepted Answer · answered Sep 11 '12 at 13:21

2

The function isn't a variable, sop it can't be parsed inside double quotes:

$import="
    INSERT into users
    (Username,Password,Email,first_name,last_name,phone,user_id) 
    values('$data[0]','".md5($data[1])."','$data[2]','$data[3]','$data[4]','$data[5]','$data[6]')";

While PHP parses variables inside double quotes, it won't look for every function possible. You will need to break the string and concat the values in using the . concat function.

answered Sep 11 '12 at 13:21

Fluffeh

33,228
16
67
80

blah ... i'm starting to hate you ++ :) – Mihai Iorga Sep 11 '12 at 13:22
How am i supposed to solve this please? it's because, i use it to insert a csv file.. – blerta Sep 11 '12 at 13:22
@blerta I gave you the insert query in the answer mate. It will work fine if you break the string, concat and run the query as it is :) – Fluffeh Sep 11 '12 at 13:25
1

***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 28 '18 at 17:30

score 1 · Answer 3 · answered Sep 11 '12 at 13:21

1

you cannot call functions like that:

$import="INSERT into users(Username,Password,Email,first_name,last_name,phone,user_id) values('$data[0]','".md5($data[1])."','$data[2]','$data[3]','$data[4]','$data[5]','$data[6]')";

answered Sep 11 '12 at 13:21

Mihai Iorga

39,330
16
106
107

score 1 · Answer 4 · answered Sep 11 '12 at 13:22

1

In plain PHP do you think echo "md5($data[1])."; would call the function? Of course not, it's part of the string.

You need to concatenate the md5 call:

"blah blah blah".md5($data[1])."more blah";

answered Sep 11 '12 at 13:22

Niet the Dark Absol

320,036
81
464
592

score 0 · Answer 5 · answered Sep 11 '12 at 13:22

Your actual issue is that you've placed a function call into a string, you can simply concatenate the return value of md5 into your string like this:

'" . md5($data[1]) . "'

That said, please don't write inserts like this, it's dangerous if $data contains user input.

You're almost always better off using prepared statements to insert data into a database. I'd highly recommend that you take up reading about PDO/MySQLi, or at the very least if you're not using it already, mysql_real_escape_string.

score 0 · Answer 6 · answered Sep 11 '12 at 13:23

For one, using arrays within a string will not work. You need to end the string and concatinate the array elements to have their value in it. The same goes for functions such as the md5() functions.

Try:

$import="INSERT into users(Username,Password,Email,first_name,last_name,phone,user_id) values('".$data[0]."','".md5($data[1])."','".$data[2]."','".$data[3]."','".$data[4]."','".$data[5]."','".$data[6]."')";

I hope this helps.

Issue with encrypting password

6 Answers6