0

When a user registers on my site I insert their password into the database like this using the encrypt function (the database is mysql); 

$qry = "INSERT INTO members(firstname, lastname, email, login, passwd) VALUES ('$fname','$lname','$email', '$login',ENCRYPT('$password'))";

When i match it when they login I use this query but it doesnt seem to be working;

$qry="SELECT * FROM members WHERE login='$login' AND passwd = ENCRYPT('$password')";

Why does this not work?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Luke14
  • 106
  • 2
  • 15
  • 2
    It doesn't look like you're doing `ENCRYPT` on the `INSERT` query -- can you show us where you're doing it? – Christian Ternus Oct 24 '13 at 22:54
  • In the database, do you see an encrypted password? Also, can you verify `ENCRYPT(string)` returns the same thing each time (I don't know how that SQL function works, maybe it uses some sort of salt) – Mike Christensen Oct 24 '13 at 22:57
  • my query does encrypt the password you just have to scroll across and yeah i see an encrypted password in the database. – Luke14 Oct 24 '13 at 22:58
  • Use [`crypt()`](http://php.net/manual/en/function.crypt.php) with [`sha1()`](http://php.net/manual/en/function.sha1.php) along with a "dash of salt"; that's what I use. – Funk Forty Niner Oct 24 '13 at 23:48
  • 1
    [This might be useful](http://stackoverflow.com/a/4840755/1415724) – Funk Forty Niner Oct 25 '13 at 00:22

2 Answers2

3

According to encrypt documentation

ENCRYPT(str[,salt])

Encrypts str using the Unix crypt() system call and returns a binary string. The salt argument must be a string with at least two characters or the result will be NULL. If no salt argument is given, a random value is used.

Then, you are getting the same, cause each time that your are requesting the function encrypt, a new salt string is being used, probably, you need to set the salt before try it. For example, when I have tried with a salt, I have taken the result that I have looking for

SELECT ENCRYPT(  'hello',  'stringSalt' ) =  'stOIgrUfQZeZ.'

BUt, If I dont use teh salt string

select encrypt('hello');

1st result: qn8VHq6xLWgQc
2nd result: 6odpFDddcEdoA

Both result are completely different

Finally, if the crypt function is not on your OS then, result would be null

(Thanks @Fred ii for the note)

Carlos
  • 4,299
  • 5
  • 22
  • 34
  • 1
    And as an added note which "may" be the case: *"If crypt() is not available on your system (as is the case with Windows), ENCRYPT() always returns NULL"* – Funk Forty Niner Oct 24 '13 at 23:36
0

Encrypting passwords is not easy, you should not ask on stack overflow.

This article discusses the correct approach: Secure hash and salt for PHP passwords

Do not invent this from scratch, you must an industry standard and strong method such as scrypt, bcrypt or pbkdf2 and before using them you need to study how they work and make sure you're implementing them properly.

Any questions you have about implementation should really be asked at security.stackexchange.com as stack overflow isn't really the place for security questions.

The technique you have posted so far is COMPLETELY WRONG. It can't be fixed, you need to start over from scratch and do it differently.

Community
  • 1
  • 1
Abhi Beckert
  • 32,787
  • 12
  • 83
  • 110