Jump to content

Login Form - Username encryption help


mds1256

Recommended Posts

Hello

 

Im making a secure php login system and ideally wanted to also md5 hash the username as well as the password. My reasons for doing this is to completey stop sql injections as i can combine the md5 hash with salt for the $_POST['username'].

 

Now my problem is i need to be able to de-hash (if this is a word) the username for admin purposes of the business. For password reset i will just send a new password.

 

Is there anyway that i can do this easily whilst keeping my username secure and stop sql injection for username?

Link to comment
Share on other sites

First, I shall correct you on your terminology.  :)

 

Hashing is a one-way process.  It is not reversible.

Encrypting is a two-way process.  It is reversible.

 

Then, I shall say that I believe hashing the username is unnecessary, especially if the sole purpose is to stop SQL injections.  Use MySQL? Then take a look at mysql_real_escape_string or prepared statements.

Link to comment
Share on other sites

Err.. Make a separate table altogether called "Usernames", and store the originally typed in username there, along with the UserID, as long as no fields connect to this table, it should be fine..

 

And if you want to stop injects, use mysql_real_escape_string.. You don't need to go through encrypting to stop injects, encrypting is to protect passwords if someone manages to get database information. :\

Link to comment
Share on other sites

I see, yeah using MySQL db. Will give that ago. is there anything else i should do to make sure this login form is secure and free from sql injections

 

Also will purchasing an SSL cert for the site be a good thing to do to stop plain text being submitted from the form?

 

Many thanks for the replies

Link to comment
Share on other sites

There are many things you can do to make a form more secure, not all of them necessary and some only in certain situations.  Do some research into CSRF. I think Chris Shiflett (sp?) has a decent article.

 

- Always escape user input by using m_r_e_s or typecasting (unless using prepared statements).

- Hash user passwords, and be sure to salt them.

 

Purchasing an SSL cert would definitely make the data transmission more secure, but may be unnecessary, again.. it depends.  If your site is one that handles sensitive data, then I would definitely say get a certificate.  (It may be required by law depending on the type of data.)

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.