mds1256 Posted August 30, 2010 Share Posted August 30, 2010 Hello Im making a secure php login system and ideally wanted to also md5 hash the username as well as the password. My reasons for doing this is to completey stop sql injections as i can combine the md5 hash with salt for the $_POST['username']. Now my problem is i need to be able to de-hash (if this is a word) the username for admin purposes of the business. For password reset i will just send a new password. Is there anyway that i can do this easily whilst keeping my username secure and stop sql injection for username? Quote Link to comment Share on other sites More sharing options...
simshaun Posted August 30, 2010 Share Posted August 30, 2010 First, I shall correct you on your terminology. Hashing is a one-way process. It is not reversible. Encrypting is a two-way process. It is reversible. Then, I shall say that I believe hashing the username is unnecessary, especially if the sole purpose is to stop SQL injections. Use MySQL? Then take a look at mysql_real_escape_string or prepared statements. Quote Link to comment Share on other sites More sharing options...
Xyphon Posted August 30, 2010 Share Posted August 30, 2010 Err.. Make a separate table altogether called "Usernames", and store the originally typed in username there, along with the UserID, as long as no fields connect to this table, it should be fine.. And if you want to stop injects, use mysql_real_escape_string.. You don't need to go through encrypting to stop injects, encrypting is to protect passwords if someone manages to get database information. :\ Quote Link to comment Share on other sites More sharing options...
mds1256 Posted August 30, 2010 Author Share Posted August 30, 2010 I see, yeah using MySQL db. Will give that ago. is there anything else i should do to make sure this login form is secure and free from sql injections Also will purchasing an SSL cert for the site be a good thing to do to stop plain text being submitted from the form? Many thanks for the replies Quote Link to comment Share on other sites More sharing options...
simshaun Posted August 30, 2010 Share Posted August 30, 2010 There are many things you can do to make a form more secure, not all of them necessary and some only in certain situations. Do some research into CSRF. I think Chris Shiflett (sp?) has a decent article. - Always escape user input by using m_r_e_s or typecasting (unless using prepared statements). - Hash user passwords, and be sure to salt them. Purchasing an SSL cert would definitely make the data transmission more secure, but may be unnecessary, again.. it depends. If your site is one that handles sensitive data, then I would definitely say get a certificate. (It may be required by law depending on the type of data.) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.