encrypt password in md5?

Question

Possible Duplicate:
Need help… how to add md5 to password field in php?

I have got this script to allow users to change their passwords. But am wanting the 'newpassword' to be encrypted into the database with md5. Can anyone tell me how i can change this script to encrypt the 'newpassword' in md5 please?

    <?php
require_once("session.php"); 
require_once("functions.php");
require('_config/connection.php');
?>
<?php 

session_start();

include '_config/connection.php'; 

$email = $_POST['email'];
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$confirmnewpassword = $_POST['confirmnewpassword'];

$result = mysql_query("SELECT password FROM ptb_users WHERE email='$email'");





if(!$result) 
{ 
echo "The username you entered does not exist"; 
} 
else 
if($password!= mysql_result($result, 0)) 
{ 
echo "You entered an incorrect password"; 
} 
if($newpassword=$confirmnewpassword) 
    $sql=mysql_query("UPDATE ptb_users SET password='$newpassword' where email='$email'"); 
    if($sql) 
    { 
    echo "Congratulations You have successfully changed your password"; 
    }
else
{ 
echo "The new password and confirm new password fields must be the same"; 
}  
?>

md5 is a hash function, and a terrible one at that (use a better one). It's not an encryption. — , Nov 03 '12 at 20:34
See my comment on [your last question](http://stackoverflow.com/questions/13212797/let-user-change-their-own-password): **Do not use MD5**. [It is not secure enough](http://php.net/manual/en/faq.passwords.php) — Quentin, Nov 03 '12 at 20:34
See Waleed Khan's comment on [your last question](http://stackoverflow.com/questions/13212797/let-user-change-their-own-password): **You are vulnerable to [SQL injection](http://bobby-tables.com) attacks** — Quentin, Nov 03 '12 at 20:35
As asked, you just md5 newpassword before the update statement. But using md5 is only slightly more secure than plaintext passwords — AD7six, Nov 03 '12 at 20:36
Here's an article with an alternative to MD5 hashed passwords, and a good explanation of why they are terrible. http://joshuakaiser.com/2012/09/05/responsible-password-management/ — Joshua Kaiser, Nov 03 '12 at 20:45

score 1 · Answer 1 · answered Nov 03 '12 at 20:38

You are checking the database's md5 password against plain text string, you have to convert the password to md5 before you do this check. Example

               else 
   if(md5($password)!= mysql_result($result, 0)) 
    { 
   echo "You entered an incorrect password"; 
    } 
   if($newpassword=$confirmnewpassword)
              $newpassword = md5($newpassword);
$sql=mysql_query("UPDATE ptb_users SET password='$newpassword' where email='$email'"); 
if($sql) 
{ 
echo "Congratulations You have successfully changed your password"; 
}
  else
{ 
 echo "The new password and confirm new password fields must be the same"; 
 }

score 0 · Answer 2 · answered Nov 03 '12 at 20:34

        <?php
    require_once("session.php"); 
    require_once("functions.php");
    require('_config/connection.php');
    ?>
    <?php 

    session_start();

    include '_config/connection.php'; 

    $email = $_POST['email'];
    $password = $_POST['password'];
    $newpassword = $_POST['newpassword'];
    $confirmnewpassword = $_POST['confirmnewpassword'];

    $result = mysql_query("SELECT password FROM ptb_users WHERE email='$email'");





    if(!$result) 
    { 
    echo "The username you entered does not exist"; 
    } 
    else 
    if($password!= mysql_result($result, 0)) 
    { 
    echo "You entered an incorrect password"; 
    } 
    if($newpassword=$confirmnewpassword)
{
        $newpassword=md5($newpassword);
        $sql=mysql_query("UPDATE ptb_users SET password='$newpassword' where email='$email'"); 
}
        if($sql) 
        { 
        echo "Congratulations You have successfully changed your password"; 
        }
    else
    { 
    echo "The new password and confirm new password fields must be the same"; 
    }  
    ?>

Added a line before updating the database which hashes the password variable.

This would be more useful if you changed the query to use parameters. — titanofold, Nov 03 '12 at 21:20

score 0 · Answer 3 · answered Nov 03 '12 at 20:35

The method to do an MD5 hash in PHP is

string md5 ( string $str [, bool $raw_output = false ] )

Simply put the new password through this function and use it instead.

Please note that MD5 is a one way hash so you cannot "decrypt" it afterwords... you will have to compare the string to your database as MD5.

score 0 · Answer 4 · answered Nov 03 '12 at 22:59

Don't use MD5 you can use password_compat instead due to reliability

$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING);
$newpassword = filter_var($_POST['newpassword'], FILTER_SANITIZE_STRING);
$newpassword2 = filter_var($_POST['confirmnewpassword'], FILTER_SANITIZE_STRING);

try {

    if ($newpassword != $newpassword2) {
        throw new Exception("Password Confirmation does not match");
    }

    $mysqli = new mysqli("host", "user", "password", "database");
    $result = $mysqli->query(sprintf("SELECT password FROM ptb_users WHERE email='%s'", $mysqli->escape_string($_POST['email'])));

    if ($result->num_rows < 1) {
        throw new Exception("The username you entered does not exist");
    }

    // Get Old Password
    $dbPassword = reset($result->fetch_assoc());

    // Prepare new hash
    $newHash = password_hash($newpassword, PASSWORD_BCRYPT);

    // Check if (password needs hashing and password is plain ) or Password is
    // hased but still old
    if ((password_needs_rehash($dbPassword, PASSWORD_BCRYPT) && $password == $dbPassword) || password_verify($password, $dbPassword)) {
        $mysqli->query(sprintf("UPDATE ptb_users SET password='%s' where email='%s'", $newHash, $mysqli->escape_string($_POST['email'])));
    } else {
        throw new Exception("Invalid Password");
    }
} catch ( Exception $e ) {
    echo $e->getMessage();
}

encrypt password in md5?

4 Answers4

Linked