3

I have used md5() for this purpose

// username and password sent from form 

$username=$_POST['myusername']; 
$password=$_POST['mypassword']; 
$encrypted_password=md5($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$encrypted_password'";
$result=mysql_query($sql);

But I heard that it is not safe. I'm a beginner so please suggest me a good password encryting method? also if post data was intercepted would it be visible as plaintext?

roemel
  • 3,180
  • 4
  • 26
  • 49
Akshay
  • 770
  • 2
  • 7
  • 20
  • Use PHP's [password_*](http://www.php.net/manual/en/function.password-hash.php) functions – Mark Baker Jan 18 '14 at 16:49
  • What about letting mysql handle the encryption? In general you can say that complex passwords are harder to crack, so try to set a policy that enforces strong passwords. – blissini Jan 18 '14 at 16:53
  • 3
    If your not using HTTPS then yes the password is sent from the client in the clear. – Alex K. Jan 18 '14 at 16:53
  • Password hashing isn't your only problem. You also have an SQL injection problem. – Mike Jan 18 '14 at 17:00

2 Answers2

1

I'm a beginner so please suggest me a good password encryting method

Make use of crypt() instead of md5()

<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
   echo "Password verified!";
}
?>

Some examples from the PHP Manual

also if post data was intercepted would it be visible as plaintext ?

Ofcourse! If you are really concerned about that, Get an SSL Certificate configured on your domain.

Shankar Narayana Damodaran
  • 66,874
  • 43
  • 94
  • 124
1

In PHP 5.5 you could use the new password_hash

$hash = password_hash($password, PASSWORD_DEFAULT);

in older versions, there's a compatibility layer which do the same: https://github.com/ircmaxell/password_compat

Philipp
  • 15,257
  • 4
  • 29
  • 47