0

When a user registers on my site I insert their password into the database like this using the encrypt function (the database is mysql); 

$qry = "INSERT INTO members(firstname, lastname, email, login, passwd) VALUES ('$fname','$lname','$email', '$login',ENCRYPT('$password'))";

When i match it when they login I use this query but it doesnt seem to be working;

$qry="SELECT * FROM members WHERE login='$login' AND passwd = ENCRYPT('$password')";

Why does this not work?

Improve this question
5
  • 2
    It doesn't look like you're doing ENCRYPT on the INSERT query -- can you show us where you're doing it? Commented Oct 24, 2013 at 22:54
  • In the database, do you see an encrypted password? Also, can you verify ENCRYPT(string) returns the same thing each time (I don't know how that SQL function works, maybe it uses some sort of salt) Commented Oct 24, 2013 at 22:57
  • my query does encrypt the password you just have to scroll across and yeah i see an encrypted password in the database. Commented Oct 24, 2013 at 22:58
  • Use crypt() with sha1() along with a "dash of salt"; that's what I use. Commented Oct 24, 2013 at 23:48
  • 1
    This might be useful Commented Oct 25, 2013 at 0:22

2 Answers 2

Reset to default
3

According to encrypt documentation

ENCRYPT(str[,salt])

Encrypts str using the Unix crypt() system call and returns a binary string. The salt argument must be a string with at least two characters or the result will be NULL. If no salt argument is given, a random value is used.

Then, you are getting the same, cause each time that your are requesting the function encrypt, a new salt string is being used, probably, you need to set the salt before try it. For example, when I have tried with a salt, I have taken the result that I have looking for

SELECT ENCRYPT(  'hello',  'stringSalt' ) =  'stOIgrUfQZeZ.'

BUt, If I dont use teh salt string

select encrypt('hello');

1st result: qn8VHq6xLWgQc
2nd result: 6odpFDddcEdoA

Both result are completely different

Finally, if the crypt function is not on your OS then, result would be null

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Encrypting passwords is not easy, you should not ask on stack overflow.

This article discusses the correct approach: Secure hash and salt for PHP passwords

Do not invent this from scratch, you must an industry standard and strong method such as scrypt, bcrypt or pbkdf2 and before using them you need to study how they work and make sure you're implementing them properly.

Any questions you have about implementation should really be asked at security.stackexchange.com as stack overflow isn't really the place for security questions.

The technique you have posted so far is COMPLETELY WRONG. It can't be fixed, you need to start over from scratch and do it differently.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.