-2

I will try to explain at best..

in start of my project i just stored the password in plain text format , now before upload it to server i want to hash them with MD5 and when user login he use simple password as before..

just they should be hashed in database..

what should i do , without changing a lot in coding and login script ?

And how to add remember password feature and forget password feature to simple login page ? any link that can sort my issue out.

i am working on php and sql.

devilcrab
  • 141
  • 4
  • 21
  • Ask one question at a time. – Rikesh May 02 '13 at 06:25
  • Don't do that! If you make the MD5ed version of the password the thing that the user has to send, then it makes the MD5 password the thing that the attacker has to know in order to break into an account, which renders using MD5 pointless! The user has to send a real password to the server, it then gets hashed with the same algorithm as the stored passwords *on* the server before being compared to the one in the database. – Quentin May 02 '13 at 06:27
  • MD5 is [not suitable for storing passwords anyway](http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash) – Quentin May 02 '13 at 06:28
  • It isn't safe to use MD5 on passwords. Use bcrypt or scrypt or PBKDF2 or something. – michaelb958--GoFundMonica May 02 '13 at 06:28
  • What do you mean with uploading the passwords to server? – Alexxus May 02 '13 at 06:28
  • what kind of encryption will be best ? and @Quentin i don't understand what you just said. – devilcrab May 02 '13 at 06:29
  • Hashing differs from encryption. – arkascha May 02 '13 at 06:30
  • hmm yea ! So what i exactly need is hashing them in sql as they are already stored as plain text. what to do ? – devilcrab May 02 '13 at 06:30
  • You read up on hashing algorithms until you understand how to choose a sensible one, then you SELECT your passwords and loop over them hashing each one and UPDATING the database with the hashed version. – Quentin May 02 '13 at 06:37

3 Answers3

2

As for your MD5 question:

UPDATE users SET password = MD5(password)

In your login script, where you validate the credentials of your user, you simply add the MD5 function as well:

SELECT id FROM users WHERE login = :login AND password = MD5(:password)

Your second question concerning password lost functionality has extensive coverage on SO.

Community
  • 1
  • 1
Sherlock
  • 7,525
  • 6
  • 38
  • 79
0

for your first issue run this query 

UPDATE urusertable SET password=md5(password);

and for your second issue when user checks ur keep me logged in checkbox check for it and then set a cookie for your desired time ,,

if(isset($_POST['remember'])){
setCookie('rememberhim','whateverurvalue',time()+3600*7);
}

then check for the cookie each time the user accesses your site . if you just want to auto populate the login feilds, also store the username and password in a cookie, But this is a very bad practice to auto populate.

themightysapien
  • 8,309
  • 2
  • 17
  • 15
-1

PHP has a MD5 function (as you probably know):

$password = mysql_result(mysql_query(SELECT `password` from `users`), 1);
$password = md5($password);
mysql_query(UPDATE `users` set `password` = '$password');

(Obviously you would need to adjust the above code to work with your DataBase structure)

If your databases are using PHPMYADMIN, there is also a built-in MD5 function that you could theoretically use to update all of the tables at once.

VCNinc
  • 747
  • 1
  • 9
  • 25