• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 807
  • Last Modified:

Encrypted but not able to decrypt password in php MYSQL

I run a script to encrypt the password table in mysql database (Script attached) and I have not been able to logon. I guess I need a php decrypt script which I don't have. Also where do I run the script? is it in my login page or as a standalone php script.
Please I need help. Thanks
encrypt.txt
0
omojesu
Asked:
omojesu
6 Solutions
 
Aaron TomoskySD-WAN SimplifiedCommented:
When you try to login, encrypt the password you typed in and see I that matches the db field. Also, never run this script again as it will double encrypt your passwords. You should be encrypting each password as a user is created. This was a utility script to convert a big table of passwords to their encrypted versions and can never be run again.
0
 
Ray PaseurCommented:
That is a really scary script.  Back up your data base before you ever run anything like that - it directly mungs the data!

It looks like what you will need to do now is use the md5() function to convert the client-input password into a 32-character string.  Then you should be able to compare the resulting string to the password field in the data base.

When you register a new user, the code will look something like this...

$coded_password = md5($_POST["clear_text_password"]);
$sql = INSERT INTO myUserTable (password) values ( '$coded_password' )
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Much more eloquently spoken Ray. That's what I get for answering questions on my phone :)
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
gr8gonzoConsultantCommented:
A minor extra comment (not points-worthy):

Whenever you run administrative or maintenance scripts like this, I highly recommend that you do NOT make them web-accessible. A good rule to follow is that anything web-accessible could potentially be executed by accident. So if it would be a bad thing if someone unwittingly stumbled across the script, then put the script into a folder and use the PHP command line to run the script.

Case in point: I knew someone who had a "Live Bookmarks" type of system where their bookmarks were posted online. They bookmarked a "secret", unlinked page used for deploying some code changes to a production system. A search engine discovered the bookmark and proceeded to "index" all of the links, which resulted in all sorts of development code being sent into a live environment.

So always keep these types of scripts outside of any sort of web-accessible location and run them from the command line if you need to do it.
0
 
blueghoztCommented:
md5 encryption is really meant to be one-way - it is considered vulnerable given the presence of resources like http://md5.rednoize.com/ which you can use to decrypt quite a lot of MD5 hashes - maybe use this if you need to find the plain string version of what you have stored in your db.
0
 
Ray PaseurCommented:
http://md5.rednoize.com/about/

The vulnerability of md5() is more about the speed of attacking computers than the availability of rednoize.  Rednoize does not decrypt; it only does a data base lookup.  Still, it might contain some of the md5() strings for common words or passwords.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now