-1

Problem:

I have a login/registration app which stores password in encrypted form on MySQL server database. I want to have no encryption in the user password for future recovery. This PHP is not made by me neither I have that expertise to edit it. If you guys can help how to remove encryption in this so that I can see password of users in database. Novice here.

P.S- I don't want users credentials for any misuse. I tried many methods of providing a password recovery system to the users but nothing worked. So I want to keep password visible to me in database so that if someone request for his/her password I should be able to provide them. 

<?php
class DB_Functions
{
private $db;

//put your code here
// constructor
function __construct() {
    require_once 'DB_Connect.php';
    // connecting to database
    $this->db = new DB_Connect();
    $this->db->connect();
}

// destructor
function __destruct() {

}

/**
 * Storing new user
 * returns user details
 */
public function storeUser($name, $email, $password, $number) {
    $uuid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt
    $result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$encrypted_password', '$number', '$salt', NOW())");
    // check for successful store
    if ($result) {
        // get user details 
        $uid = mysql_insert_id(); // last inserted id
        $result = mysql_query("SELECT * FROM users WHERE uid = $uid");
        // return user details
        return mysql_fetch_array($result);
    } else {
        return false;
    }
}

/**
 * Get user by email and password
 */
public function getUserByEmailAndPassword($email, $password) {
    $result = mysql_query("SELECT * FROM users WHERE email = '$email'") or die(mysql_error());
    // check for result 
    $no_of_rows = mysql_num_rows($result);
    if ($no_of_rows > 0) {
        $result = mysql_fetch_array($result);
        $salt = $result['salt'];
        $encrypted_password = $result['encrypted_password'];
        $hash = $this->checkhashSSHA($salt, $password);
        // check for password equality
        if ($encrypted_password == $hash) {
            // user authentication details are correct
            return $result;
        }
    } else {
        // user not found
        return false;
    }
}

/**
 * Check user is existed or not
 */
public function isUserExisted($email) {
    $result = mysql_query("SELECT email from users WHERE email = '$email'");
    $no_of_rows = mysql_num_rows($result);
    if ($no_of_rows > 0) {
        // user existed 
        return true;
    } else {
        // user not existed
        return false;
    }
}

/**
 * Encrypting password
 * @param password
 * returns salt and encrypted password
 */
public function hashSSHA($password) {

    $salt = sha1(rand());
    $salt = substr($salt, 0, 10);
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

/**
 * Decrypting password
 * @param salt, password
 * returns hash string
 */
public function checkhashSSHA($salt, $password) {

    $hash = base64_encode(sha1($password . $salt, true) . $salt);

    return $hash;
}} ?>
Tony Stark
  • 93
  • 1
  • 2
  • 11
  • 1
    DONT REMOVE password encryption, replace it with PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them, I might want to use your site one day And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Jul 15 '16 at 15:19
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 15 '16 at 15:20
  • 1
    Please dont use [the `mysql_` database extension](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), it is deprecated (gone for ever in PHP7) Specially if you are just learning PHP, spend your energies learning the `PDO` database extensions. [Start here](http://php.net/manual/en/book.pdo.php) its really pretty easy – RiggsFolly Jul 15 '16 at 15:20
  • I think the safest solution here would be to rewrite this app completely – RiggsFolly Jul 15 '16 at 15:21
  • Then how to retrieve the password of the user in case he/she lose it. – Tony Stark Jul 15 '16 at 15:22
  • What you want to do is a bad idea. – WillardSolutions Jul 15 '16 at 15:22
  • Password recovery systems are not that difficult. And there must be 100's of tutorials out there if not 1000 to help you on your way – RiggsFolly Jul 15 '16 at 15:23
  • well I tried some but nothing worked. It looks like I should spend a lot of time learning this thing to make it safe and working. – Tony Stark Jul 15 '16 at 15:25
  • Now you are on the right page – RiggsFolly Jul 15 '16 at 15:26
  • 1
    Administrators should never know the passwords of their system's users. It's a huge liability. What if one of your users gets compromised? You'd be the prime suspect. You can see how passwords get hashed into the database in the `storeUser()` function. If a user needs password recovery, you can use similar code to set a temporary password which you tell the user. Then the user logs in and changes the password to one you don't know. – Juan Tomas Jul 15 '16 at 15:27
  • Thanks for guiding. I will learn it. any easy tutorial for beginners? – Tony Stark Jul 15 '16 at 15:28
  • 1
    Google is your friend... search `php password recovery system` and take your pick – RiggsFolly Jul 15 '16 at 15:32
  • See [How to securely hash passwords, The Theory](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846) on Security Stackexchange. See OWASP (Open Web Application Security Project) [Password Storage Cheat Sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Leverage_an_adaptive_one-way_function). [Modern, Secure, Salted Password Hashing Made Simple](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#legacy-hashes) – zaph Jul 15 '16 at 16:30
  • If the users forgets their password send an email to them with a link to changing their password. I'm sure you have seen this many times.,it is the secure way to handles forgotten passwords. – zaph Jul 15 '16 at 16:33

1 Answers1

-1

Function storeUser using for save record to database And you can see this line

$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt

If you don't want save encrypted password just modify

$result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$password', '$number', '$salt', NOW())");

P/s: I'm not recommend using this method to save password. This's bad solution. Please try to encrypt password and if user want to reset. Just give them one link do it by email.

Quynh Nguyen
  • 2,959
  • 2
  • 13
  • 27
  • yes I was trying to implement a password recovery method through email. But I am not able to get email to the user. can you recommend some article or tutorial which may help me do this easily. – Tony Stark Jul 15 '16 at 15:26
  • Why you can't send email to user. This's basic module you must have. – Quynh Nguyen Jul 15 '16 at 15:29
  • Easiest way is: you have one module change password of user in Admin Controll Panel. When user request reset password you can change new password and send it to user. This's best way if you don't have skill in PHP – Quynh Nguyen Jul 15 '16 at 15:30
  • Yes You are right. Something I am missing. Backend PHP code was given to me through which a user should be able to recover password. But its not working. (I brought an app which has these features but support to that app has ended). So Its tough for me. – Tony Stark Jul 15 '16 at 15:35
  • 2
    Rent yourself a developer – RiggsFolly Jul 15 '16 at 15:35
  • I think RiggsFolly's way is the best way in this case xD. – Quynh Nguyen Jul 15 '16 at 15:38
  • Yup. Looks like I have to. – Tony Stark Jul 15 '16 at 15:38
  • Can you vote up for me for my answer? If this can help you xD. – Quynh Nguyen Jul 15 '16 at 15:39
  • Did it. Thank you all. – Tony Stark Jul 15 '16 at 15:41
  • **Do not encrypt passwords**, when the attacker gets the DB he will also get the encryption key. Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as password_hash, PBKDF2, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Jul 15 '16 at 16:30
  • I just explain how to edit this code like his mind. And some one vote down my answers. Please? – Quynh Nguyen Jul 15 '16 at 16:34