1

When I try to put a new user's password into a MySQL database, it doesn't encrypt it correctly. Here's the code I'm using: 

$encPassword = hash('sha256', $_POST['password']); 
    $query = sprintf("INSERT INTO users(`userName`,`email`,`password`) 
        VALUES('%s','%s',PASSWORD('%s'))", 
        mysql_real_escape_string($_POST['userName']), 
        mysql_real_escape_string($_POST['email']), 
        mysql_real_escape_string($encPassword))or die(mysql_error()); 
    $sql = mysql_query($query);

When I check the database though, it doesn't store the password as sha256 encrypted. It only has 16 random characters (it should have ~50). What's wrong with it?

James
  • 2,233
  • 4
  • 20
  • 30
  • is your field VARCHAR with proper length? – mkk Aug 23 '11 at 23:02
  • Of what type is your password field in the database? – Raffael Luthiger Aug 23 '11 at 23:03
  • I would recommend CHAR(64) or BINARY(256) instead. Not that it makes much of a difference, I suppose :) – Ry- Aug 23 '11 at 23:04
  • @minitech it's stil a good practice, if you know you're always going to have the same number of characters. Plus, although it's not relevant here, you should get a speed-up if all your columns are fixed width (not relevant here b/c there's a varchar username and varchar email). – Robert Martin Aug 23 '11 at 23:07
  • 1
    You should also salt your password for better security. Using `bcrypt` to hash the password is better as well. – toby Aug 23 '11 at 23:10

4 Answers4

4

Check you have correct column lenght allowed in your table. That's the most common problem. Your field must be at least VARCHAR(64)

genesis
  • 50,477
  • 20
  • 96
  • 125
  • Sorry, I just saw that the OP was using `PASSWORD` which stores the result in 41 characters according to http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_password. Nevermind :P – Ry- Aug 23 '11 at 23:08
  • @minitech: it doesn't matter, he can use 64, too, it won't kill him :) – genesis Aug 23 '11 at 23:09
3

I don't think you should use the PASSWORD keyword: http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html#function_password

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.

But, you've already hashed the password on the 1st line of code. Just insert that directly into the database...

Robert Martin
  • 16,759
  • 15
  • 61
  • 87
  • sha256 is a *hash* function, not an encryption algorithm. Hash algorithms are designed to be one-way, ie. non-reversible. You should edit your answer to say "hashed", not "encrypted". – Jared Ng Aug 23 '11 at 23:19
  • I've changed it to be more specific. But in my defense 'encrypted' is not wrong -- hashing is just a specific type of encryption. – Robert Martin Aug 23 '11 at 23:58
  • 1
    I have to disagree (see http://stackoverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it). Hashing and encryption are both in the realm of *cryptography*, but they are fundamentally different. Hashing is irreversible, while encryption, by definition, must be two-way. There must exist a decryption function for every encryption function. – Jared Ng Aug 24 '11 at 00:00
0

Have you checked the value of $encPassword before the INSERT?

JJ.
  • 5,425
  • 3
  • 26
  • 31
0

It's because you are using PASSWORD('%s') function in your query, (so you are double hashing your password).

Just insert it as other values ('%s')

dev-null-dweller
  • 29,274
  • 3
  • 65
  • 85