Php login page with encrypted password

Here is the login system to which the secure login is to be implemented/

main_login.php

    

    Username: 

    Password:
    
    

Checklogin.php

login_success.php

Login Successful. Logout

logout.php

the problem is that I want to make this secure login by password encryption or any other method (if any). I am beginner to PHP

asked Aug 28, 2010 at 9:18

SurajSuraj

9325 gold badges24 silver badges43 bronze badges

2

You can encrypt the password to a degree with md5. You would need to md5 the password from when the user signs up and before the login md5....

Example: // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $mypassword = md5($mypassword);

You would also need to use this whenever you have a user sign up.

answered Aug 28, 2010 at 9:35

1

As a beginner, most likely you do not need any encryption. Especially because it would be Javascript, not PHP.
Though it can be done.
You could use hashed challenge implementing Digest authentication schema

• server send a challenge - a random strimg
• client make a hash of this challenge and a password
• this hash being sent to server
• server doing a hash the same way and compare both

There are a lot of Javascript MD5 hashing algorithm implementations over internet.

Of course, an SSL certificate would be preferred over this homemade implementation.

But to get proper answer, you still need to clarify what exactly you want to encrypt and why. And why don't you concerned about securing something else. Your whole database for example.

Some notes for a while.
Your login_success code would either not work and protect nothing.
It should be just

if(isset($_SESSION['username'])){

because there is no $myusername variable to compare.
And there ought to be exit; right after header("location:...
Or a client will get protected contents anyway

answered Aug 28, 2010 at 9:33

Your Common SenseYour Common Sense

156k39 gold badges208 silver badges331 bronze badges

3

To make this a little more secure, you should store encrypted passwords in your database and then compare the encrypted entered password with the stored hash. This way if someone somehow accesses the members table, they cannot see the actual passwords.

Suppose the password is myPassword then don't just store it, hash it first using an algorithm like md5 then store the hash which is deb1536f480475f7d593219aa1afd74c in your database. Then when user enters a password, hash it and compare two hashes.

For more secure approach, use SSL.

answered Aug 28, 2010 at 9:24

Hamid NazariHamid Nazari

3,8012 gold badges27 silver badges30 bronze badges

1

You can use md5($password) or sha1($password) while inserting the signup data to table.

to match again for login login

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='".md5($mypassword)."'"; $result=mysql_query($sql);

There is some other way too, to protect further. Using combination of sha1 and salt.

By the way why dont you use some quick php framework coz these small things are already built with them.

Thanks

answered Aug 28, 2010 at 9:28

Pramendra GuptaPramendra Gupta

14.4k4 gold badges32 silver badges34 bronze badges

1

Normally you would store a hash of the passwords in the database see md5 however this doesn't make it secure between the webpage and server - for this you need to use https.

There are two things here.

1. If I'm a dumb user and when I sign up for your site I have to give a password I might give the same password as I used elsewhere so your site should really store a hash of the password instead of the real thing so if they get hacked the attackers won't get my password that I used everywhere. To do this you store the hash in your members table and in the query that checks it is valid you pass a hash instead of the real thing.

2. Under http the password will get sent from the browser to the server in plain text. If this is over the internet and an attacker has access to any networks in between the browser and client then they can see the password - if you hash it in the browser using javascript the attacker can pick up the hash and possibly use this to login to your site. That is why we have https. For a low cost (especially compared to development costs) you can buy a certificate that will secure the connection. If you don't want to do this you can self sign a certificate and use this. If your hosting does not allow you to use a certificate then it might be possible to create a home brew solution but it is much better to just find other hosting.

answered Aug 28, 2010 at 9:24

Adam ButlerAdam Butler

3,0134 gold badges34 silver badges39 bronze badges

3

md5 would be the best in this case. Run the Input Details such as Password through the MD5 function and insert into your database.

Its nearly unreverseable so the only way to use it is to use MD5 on login also and compair the md5 password from login with the version stored in the database.

answered Sep 24, 2014 at 8:31