scriptygoddess

18 Jun, 2002

Encryption, Sessions, mySQL

Posted by: Jennifer In: Bookmarks

I'm doing alot of PHP scripting at work right now involving cookies, sessions, mySQL and encryption. Thought I'd post the links and a few lines of code that are most useful to me at this moment. :) (this will probably only make sense to hard-core phpers)

O'Reilly's Session Tutorial

using this API, a sample of two way encryption using HCEMD5:

$string = "encrypt this string";
srand((double)microtime()*32767);
$rand = rand(1, 32767);
$rand = pack('i*', $rand);
$key = "fuzzy wuzzy wuz a bear"; //encryption key
$hcemd5 = new HCEMD5 ($key, $rand);
$encryptedstring = $hcemd5->encrypt($string);

to decrypt:
$decryptedstring = $hcemd5->decrypt($encryptedstring);

hcemd5 may not be apart of the default PHP install – I'm not sure. I know that M_Crypt needs to be a seperate install…(they talk about it a little in the next bookmark)

O'Reilly's tutorial on one way encryption

Sample connection to a database:
@ $db = mysql_pconnect("url", "mysql_username", "mysql_password");
mysql_select_db("database_name");
$query = sprintf("SELECT * FROM contact WHERE Username='%s' AND Password='%s';", addslashes($_REQUEST["username"]), md5($_REQUEST["password"]));
$result = mysql_query($query);
$num_results = mysql_num_rows($result); //returns the number of rows returned

if ($num_results > 0) {

$row = mysql_fetch_array($result);
/* each time this is called – it returns the next row that was in the result-set. – there's a "pointer" that is left of what the last row was called – when you call it again, it returns the row, and moves the pointer. (my "newbie explanation" for how that works) */

$feedback = "<p>Welcome, ".$_REQUEST['username']."!</p>";
}

(if track_vars is turned off (which is better from a secruity standpoint) then you need to call varialbes sent in a form using $_REQUEST['variable_name']

Web Developers (virtual library) tutorial about sessions and security

4 Responses to "Encryption, Sessions, mySQL"

1 | Amy

June 18th, 2002 at 9:36 am

Avatar

mmm. That's quite interesting. I'm curious — what made you decide to go with two-way encryption instead of one-way encryption?

I was working on the login function for my CMS about two weeks ago, and ended up going with one-way encryption. I put the md5 hash of the user's password in the database, and then store a separate password retrieval question/answer duo in another column.

Since md5() is one-way, the password can't actually be retrieved…but if the user provides the correct username, retrieval question, AND retrieval answer, the program will auto-generate and mail them the new password to their account.

Though…

On second thought…after reading all that, maybe your way is easier. 😀

2 | Jennifer

June 18th, 2002 at 9:41 am

Avatar

Well – one of the things we're encrypting is the username, password, and IP for the database so they're not hardcoded right in the app. :)

3 | Amy

June 18th, 2002 at 9:48 am

Avatar

Good call there.

That's something I've actually got to work out — tracking IP addresses on a per-login basis to help prevent against login hijacking.

heh – this is just what I need to make my brain hurt before nine a.m.! :)

4 | Phil

April 1st, 2003 at 1:15 pm

Avatar

I am fairly new to php and the wonderfull world of web programming. I have been developing my web site http://www.funkinfamily.com as an experimental project for mp3 hosting. And for my users login, regintration and all i had used md5() for passwords but now i want to make a retreival system for my users. After reading all this i am still unclear how to empliment the above API. If some one would be willing to help me out personally i would greatly appriciate it. Thanx

Phil

Featured Sponsors

Genesis Framework for WordPress

Advertise Here


  • Scott: Just moved changed the site URL as WP's installed in a subfolder. Cookie clearance worked for me. Thanks!
  • Stephen Lareau: Hi great blog thanks. Just thought I would add that it helps to put target = like this:1-800-555-1212 and
  • Cord Blomquist: Jennifer, you may want to check out tp2wp.com, a new service my company just launched that converts TypePad and Movable Type export files into WordPre

About


Advertisements