3

I have used md5() for this purpose

// username and password sent from form 

$username=$_POST['myusername']; 
$password=$_POST['mypassword']; 
$encrypted_password=md5($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$encrypted_password'";
$result=mysql_query($sql);

But I heard that it is not safe. I'm a beginner so please suggest me a good password encryting method? also if post data was intercepted would it be visible as plaintext?

roemel
  • 3,247
  • 4
  • 29
  • 52
Akshay
  • 790
  • 2
  • 8
  • 22
  • Use PHP's [password_*](http://www.php.net/manual/en/function.password-hash.php) functions – Mark Baker Jan 18 '14 at 16:49
  • What about letting mysql handle the encryption? In general you can say that complex passwords are harder to crack, so try to set a policy that enforces strong passwords. – blissini Jan 18 '14 at 16:53
  • 3
    If your not using HTTPS then yes the password is sent from the client in the clear. – Alex K. Jan 18 '14 at 16:53
  • Password hashing isn't your only problem. You also have an SQL injection problem. – Mike Jan 18 '14 at 17:00

2 Answers2

1

I'm a beginner so please suggest me a good password encryting method

Make use of crypt() instead of md5()

<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}
?>

Some examples from the PHP Manual

also if post data was intercepted would it be visible as plaintext ?

Ofcourse! If you are really concerned about that, Get an SSL Certificate configured on your domain.

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
1

In PHP 5.5 you could use the new password_hash

$hash = password_hash($password, PASSWORD_DEFAULT);

in older versions, there's a compatibility layer which do the same: https://github.com/ircmaxell/password_compat

Philipp
  • 15,377
  • 4
  • 35
  • 52