-6

Code Here is encrypting password but How I decrypt it or Compare it to login in laravel

Code where used

   getsql(md5($_POST['regpassword'] . SALT), "default"),
Kareimovich
  • 591
  • 1
  • 7
  • 18
  • 3
    Don't use `MD5` for passwords. Use `password_hash()` and `password_verify()`. – Barmar Jul 02 '19 at 20:15
  • 1
    They do the salting automatically. – Barmar Jul 02 '19 at 20:15
  • @Barmar it's not mine I have to get a database with members that their password is encrypted in that way – Kareimovich Jul 02 '19 at 20:16
  • 1
    Is `SALT` a constant? The whole point of adding salt to a password is that it should be generated randomly, different for each user. – Barmar Jul 02 '19 at 20:17
  • What does `getsql()` do? – Barmar Jul 02 '19 at 20:17
  • @Barmar not My Code all problem that . SALT is not variable How Can i Compare it with database – Kareimovich Jul 02 '19 at 20:20
  • @Barmar i'm getting this error Use of undefined constant SALT - assumed 'SALT' (this will throw an Error in a future version of PHP) – Kareimovich Jul 02 '19 at 20:23
  • 1
    Then you need `DEFINE('SALT', );` But like I said, it doesn't really make sense for salt to be a constant. – Barmar Jul 02 '19 at 20:25
  • See https://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php – Charlotte Dunois Jul 02 '19 at 20:30
  • 3
    If you need help with someone else's code, get in touch with the author of said code. Meanwhile `md5` is an unsafe hashing algorithm and MUST NOT be used for hashing passwords. And since it's a hash, it can't be reversed. Preferred algorithms are bcrypt and argon2(id) (latter to be preferred if available). – Charlotte Dunois Jul 02 '19 at 20:33

2 Answers2

0

md5 is hashing and it's not reversible you can't decrypt it you can only hash the password using the same algorithm and salt then compare the results to make sure that it's the correct password

M.Elkady
  • 1,093
  • 7
  • 13
0

When you're validating the password, you can do:

$hashed = md5($_POST['password'] . SALT);
$sql = "SELECT * FROM users WHERE username = '{$_POST['username']}' AND password = '$hashed'";

I've simplified this to show the important part of how to check the password, in reality you should use a prepared statement to prevent SQL injection.

Another way is to fetch the hashed password from the database, then compare it with the hashed+salted password that was given:

$hashed = md5($_POST['password'] . SALT);
$sql = "SELECT password FROM users WHERE username = '{$_POST['username']}'";
$result = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($result);
if ($row && $hashed == $row['password']) {
    // user is validated
}

If you fix your method of storing passwords to use a more reasonable method than a static SALT, this second method can easily be updated. Instead of $hashed == $row['password'] you would use password_verify($_POST['password'], $row['password']).

Barmar
  • 741,623
  • 53
  • 500
  • 612
  • Like I said above, you need to define SALT. – Barmar Jul 02 '19 at 20:30
  • Use of undefined constant SALT - assumed 'SALT' (this will throw an Error in a future version of PHP) – Kareimovich Jul 02 '19 at 20:30
  • You need to do itthe same for both encryption and validation. I thought you said that encryption was working. – Barmar Jul 02 '19 at 20:31
  • This is not good advice, because it works only with a static salt, which defeats the purpose of a salt. Instead one should search by user only and then verify the hash with PHP, as shown in this [answer](https://stackoverflow.com/a/38422760/575765). – martinstoeckli Jul 03 '19 at 12:28
  • @martinstoeckli I said the same thing in comments on the question itself. The OP seemed to say that the password hashing mechanism was already being used and he couldn't change it, he just needs to know how to validate passwords. – Barmar Jul 03 '19 at 15:44
  • I see, maybe you could improve your example a little bit, by searching by username only and comparing the hashes afterwards, this would make it easier to switch to a good solution later. – martinstoeckli Jul 04 '19 at 06:14
  • 1
    @martinstoeckli Good suggestion, I've shown that alternate style – Barmar Jul 04 '19 at 23:59