<div>
ideally you won't encrypt and decrypt a password 
 
instead, use a cryptographically secure hashing algorithm (like bcrypt) 
store the hash 
when a user logs in, hash their password and compare that to the stored hash. 
 
the reason you do this is, encryption is reversible (hence decryption) but hashing is not. 
 
 
here's a nice example along with expanded explanations of what I have above. 
 
<a href="https://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/" rel="ugc">https://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/</a>
</div>

<div>
Please see An Afterword About Storing Passwords 
<a href="https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html" rel="ugc">https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html</a> 
 
Make a Google search for &quot;Correct Horse Battery Staple&quot; 
 
Then if you still want to encrypt and decrypt information, you can use something like this: 

<pre><code class="code-10 nolinks" id="code-20-41499309-1">&lt;?php // demo/encrypt_decrypt_mcrypt.php
/**
 * Notice: MCrypt is sometimes considered &quot;dead&quot; in 2015
 * but the PHP documents are incomplete for OpenSSL
 *
 * Show how to encrypt and decrypt information
 * with binary-safe transport over the internet
 * Note: ECB may not be the &quot;best&quot; mode
 *
 * http://php.net/manual/en/book.mcrypt.php
 * http://php.net/manual/en/ref.mcrypt.php
 * http://php.net/manual/en/mcrypt.ciphers.php
 *
 * https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
 * https://en.wikipedia.org/wiki/Base64
 *
 * Parallel construction in the encrypt() decrypt() methods
 */
error_reporting(E_ALL);


/**
 * The Interface defines the two main data transformation activities
 */
Interface Encryption_Interface
{
 public function encrypt($text);
 public function decrypt($text);
}

class Mcrypt_Encryption Implements Encryption_Interface
{
 protected $key;

 public function __construct($key='quay')
 {
 // THE KEY MUST BE KNOWN TO BOTH PARTS OF THE ALGORITHM
 $this-&gt;key = $key;
 }

 public function encrypt($text)
 {
 // DECLOP WHITESPACE BEFORE ENCRYPTION
 $text = trim($text);

 // ENCRYPT THE DATA
 $data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this-&gt;key, $text, MCRYPT_MODE_ECB);

 // MAKE IT base64() STRING SAFE FOR STORAGE AND TRANSMISSION
 return base64_encode($data);
 }

 public function decrypt($text)
 {
 // DECODE THE DATA INTO THE BINARY ENCRYPTED STRING
 $text = base64_decode($text);

 // DECRYPT THE STRING
 $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this-&gt;key, $text, MCRYPT_MODE_ECB);

 // DECLOP NUL-BYTES BEFORE THE RETURN
 return trim($data);
 }
}


// INSTANTIATE AN ENCRYPTION OBJECT FROM THE CLASS
$c = new Mcrypt_Encryption();

// INITIALIZE VARS FOR LATER USE IN THE HTML FORM
$encoded = $decoded = NULL;

// IF ANYTHING WAS POSTED SHOW THE DATA
if (!empty($_POST[&quot;clearstring&quot;]))
{
 $encoded = $c-&gt;encrypt($_POST[&quot;clearstring&quot;]);
 echo &quot;&lt;br/&gt;{$_POST[&quot;clearstring&quot;]} YIELDS ENCODED &quot;;
 var_dump($encoded);
}

if (!empty($_POST[&quot;cryptstring&quot;]))
{
 $decoded = $c-&gt;decrypt($_POST[&quot;cryptstring&quot;]);
 echo &quot;&lt;br/&gt;{$_POST[&quot;cryptstring&quot;]} YIELDS DECODED &quot;;
 var_dump($decoded);
}

// CREATE THE FORM USING HEREDOC NOTATION
$form = &lt;&lt;&lt;FORM
&lt;form method=&quot;post&quot;&gt;
&lt;input name=&quot;clearstring&quot; value=&quot;$decoded&quot; /&gt;
&lt;input type=&quot;submit&quot; value=&quot;ENCRYPT&quot; /&gt;
&lt;br/&gt;
&lt;input name=&quot;cryptstring&quot; value=&quot;$encoded&quot; /&gt;
&lt;input type=&quot;submit&quot; value=&quot;DECRYPT&quot; /&gt;
&lt;/form&gt;
FORM;

echo $form;
</code></pre>
</div>

<div>
There are some articles here for this very thing that will outline what you want to do 
&nbsp;<a href="https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html" rel="ugc">https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html</a> 
 
<a href="https://www.experts-exchange.com/articles/9739/PHP-MySQL-User-Authentication.html" rel="ugc">https://www.experts-exchange.com/articles/9739/PHP-MySQL-User-Authentication.html</a> 
 
In simple pseudo code &nbsp; 

<pre><code class="code-10 nolinks" id="code-20-41499314-1">newPassword = &quot;FidoMyDogsName&quot;
salt1 = username
salt2 = some_random_string
salt3 = something_else

hashPass = hash(concatenate(newPassword, salt1,salt2,salt3)) //the hash will be a long text string

// store the hashed password to the database

// to test the pass
posted_password = &quot;FidoMyDogsName&quot;
//test the password against what is in the db
salt1 = username
salt2 = some_random_string
salt3 = something_else
password_test = hash(concatenate(posted_password , salt1,salt2,salt3))
if(passwword_test === pass_stored_in_database){
 // password is good
} else {
 // password is bad
}
</code></pre>
</div>

<div>
Scott Fell, 
 
I converted your pseudo code to real php; it works. 
 
But the issue I see is where do I store salt1, salt2 &amp;&nbsp;salt3? In the database? I can see that salt2 can be a different random value for each client. 
 
But if this stuff is in the database and the objective is to avoid database hacking, aren't the &quot;keys&quot; to the kingdom already there in the database?
</div>

<div>
a salt isn't a key but is necessary to duplicate the hash. &nbsp;you would need to store them in the database or someplace where the authenticating code can access them so it can apply the salt to the candidate password and generate the hash for comparison to the stored hash.
</div>

<div>
Exactly, you don't have to use salt, but it helps to create a more secure hash. &nbsp;In my sample I used the username. &nbsp;You know the username either from the user entering data or a database result. 
 
You can stop there, but you can add an additional hash key value that is just hardcoded. &nbsp;Let's say you have hard coded salt2 &nbsp;= &quot;zhsLysk82ka;zkdjhf@svx!&quot; &nbsp;Just make sure to use the same hard coded information throughout your code. &nbsp;It is probably best to not store salt keys in your db anyway. &nbsp;The reason why you are creating the hash is if the db is compromised. If your entire server is compromised, that is is a different story. 
 
There are more advanced ways of dealing with this where the hash is random or changes every log in. &nbsp;At a minimum I would use something like the username and random string that you hard code.
</div>

<div>
Scott, 
 
So you suggest just hard code the salt2 in the few (I think only two) programs where it is needed. &nbsp;And as you say, if the entire server is compromised, that is a much bigger issue. 
 
Richard
</div>

<div>
That is one way of doing it. 
 
Have a read of the first 2 articles below and they will really help you understand. &nbsp;I used both of them myself a few years ago. Just know they are old and when they talk about md5 for instance, that is easy to crack with today's computing power. If you can use a random hash, it will be more secure. &nbsp;The idea of what I outlined is right. 
 
<a href="https://crackstation.net/hashing-security.htm" rel="ugc">https://crackstation.net/hashing-security.htm</a>&nbsp; (points to <a href="http://php.net/manual/en/function.mcrypt-create-iv.php" rel="ugc">http://php.net/manual/en/function.mcrypt-create-iv.php</a>) 
 
<a href="http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/" rel="ugc">http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/</a> 
 
<a href="http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/" rel="ugc">http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/</a>
</div>

<div>
greetings Richard Korts, , there are many factors to any security concerns in password database storage, alot of the info on the web about it, is many times outdated, and-or using ideas that the author of the article does not really know, but just read from some other article, that the author of that other one, took info from still another previous article. The way an experienced coder will try an use a way to get passwords, is to &quot;Sign UP&quot; on that site with at least 4 different &quot;User Names&quot; , email addys, and different passwords. Then use an SQL injection procedure to list out all user names, emals and passwords in the user table. Then the 4 user names that they used to &quot;Sign Up&quot; for that site are found, with each DB column entry for the password, if the passwords are all 16 characters in length (after removing the HEX encode), then they pretty much Know, it's a standard PHP MD5 hash, and they just use a 92 keyboard character hash &quot;Look Up Table&quot; for MD5 to find the actual text in the hash, if any of what are incorrectly called &quot;Seeds&quot; here, have been added to beginning, end or middle of a password, it will be a consistent length, and easily used to see and remove in the 4 different known passwords. A real seed needs to be used to actually change the hash method to use a different hash algorithm method, so it produces a non-standard result that can not be looked up in a standard hash &quot;Look Up Table&quot;, to do this I always use the PHP &nbsp;hash_hmac( ) &nbsp;function for any password hashing like - 
$ps = hash_hmac('ripemd160', $ps, '*jE!cP)nt~,:lrFd$zO'.chr(197)); 
 
the hash_hmac( ) will actually CHANGE the hash output with the seed to a different XOR complied result , not in a standard hash result, and there are not many &quot;Look Up Tables&quot; made for 'ripemd160' anyway, so this is a hundred times more effective hashing for security concerns. 
I hope this gives you more info about this.
</div>

<div>
To Slick812, 
 
It appears to me that you have the best solution. 
 
I'm a little concerned about some of your comments. 
 
What we need is, when a user registers for our online service, they provide a password. We want to hash it &amp;&nbsp;store the hash value in the database. 
 
Then, the next time they log in, we hash the password they provided &amp;&nbsp;do a lookup in the database comparing the previously hashed value (in the db) with the hash of the currently entered password; if equal, they are in, if not out. 
 
So if I understand this, I would hash the originally entered password ($pwd), like this: 
 
$ps = hash_hmac('ripemd160', $pwd, $key); 
 
$key being some random string I store elsewhere in the database. Then I store $ps in the database, I'm guessing using like varchar(128) (in MySQL syntax). 
 
Then on a subsequent login, I use the SAME &nbsp;hash on the entered value &amp;&nbsp;compared the hashed result in the database; if equal, they are good. 
 
Is this correct? 
 
Thanks
</div>

<div>
Oh I forgot about the DB varchar(128) , if you use this - 
&nbsp; &nbsp; hash_hmac('ripemd160', $pwd, $key); 
the output will be a HEX string &nbsp;40 characters long, so for the BD Type you can use &nbsp;varchar(40) 
 
&nbsp;there are many hashes available like with hash length (double for HEX) - 
sha256 &nbsp; &nbsp;-32 length 
sha512 &nbsp; &nbsp;-64 length 
ripemd256 &nbsp; &nbsp;-32 length 
tiger192,4 &nbsp; &nbsp; -24 length 
whirlpool &nbsp; &nbsp; -64 length 
haval224,5 &nbsp; &nbsp; -28 length 
 
 
the longer the hash, the more difficult it is to try and do a Look Up table to get the plaintext from a hashed string. 
 
You may want to just use this &nbsp;- 
&nbsp; &nbsp; &nbsp;hash_hmac('ripemd256', $pwd, 'J*&amp;^gbF'.chr(214).'DeW{lO'.chr(177).'(bCzAs:+bFyDv~cK|'); 
with a 64 length HEX output, for a general security hash.
</div>

<div>
Thanks for the wealth of info. 
 
I just hashed all the passwords in our user table &amp;&nbsp;put the hashing in to the new registration (when pwd is first stored) &amp;&nbsp;the the login check program. 
 
One minor (but I thought not good thing) , when I first went to log in myself to test the login, I saw that the hashed password was in the form field for pwd, not my normal value. 
 
I told FireFox (a LONG time ago) to save my password; of course obviously if I had left the hash value there it would have failed by hashing the hash. 
 
Do you know of a way to avoid this? Is this only a FireFox issue (even if so, not good &amp;&nbsp;very confusing to the average person). 
 
Thanks
</div>

<div>
<div class="content wysiwyg-content">
Is thee a way to do AES Encryption &amp;&nbsp;Decryption from php? 
 
Specifically, I want passwords stored in a MySQL database to be encrypted. Of course they will have to be checked when a user logs in so I'm guessing I would have to decrypt to do a compare? 
 
Thanks
</div>
</div>

Is thee a way to do AES Encryption & Decryption from php?

Specifically, I want passwords stored in a MySQL database to be encrypted. Of course they will have to be checked when a user logs in so I'm guessing I would have to decrypt to do a compare?

Thanks

AES Encrypt / Decrypt

PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.

MySQL is an open source, relational database management system that runs as a server providing multi-user access to a number of databases. Acquired by Oracle in 2009, it is frequently used in combination with PHP installations, powering most of the WordPress installations.