Tag Archives: Hashing

Tutorial – Encrypting your Password with md5()

October 6th, 2010 by

I’d like to revisit the PHP Login Tutorial and modify it just a bit to support encrypted passwords instead of just a password defined by writing it in the PHP.

Note: To be completely accurate as Steve pointed out this isn’t actually a true encryption as it is a one way translation that is called hashing. I’m using encrypt simply because it obviously equates to password protection where as “hashing” may not equate to protection when you’re reading it.

You can use my md5 encoder to get an idea of what it will encrypt your password. Keep in mind if you were to enter say ‘password’ twice it will give you the same encryption string and this is the key to having encrypted passwords.

Now the good thing is that we will only need to change a few things in the code for it to accept encrypted strings. I will be using the same files as in my PHP Login Tutorial. So open up the seetings.php file and we’re going to change the passwords to encrypted versions. In other words change this:

  1. $users = array (
  2.         ‘user1′ =>‘password1′,
  3.         ‘user2′ =>‘password2′,
  4.         ‘user3′ =>‘password3′,
  5. );

to:

  1. $users = array (
  2.         ‘user1′ =>’7c6a180b36896a0a8c02787eeafb0e4c’,
  3.         ‘user2′ =>’6cb75f652a9b52798eb6cf2201057c73′,
  4.         ‘user3′ =>’819b0643d6b89dc9b579fdfc9094f28e’,
  5. );

So now if someone were to somehow get your user list with user names and passwords they would have a useless string of characters. Since md5() generates 32 characters regardless of how many characters are passed through it this becomes almost impossible to reverse engineer the string.

So now that the password has been converted to a string of 32 random characters we have to modify the part of the code that checks if what was input into the form matches the string in the password section of the array. So now you’re going to want to turn this section:

  1. if($_POST[‘login’]){
  2.         foreach ($users as $user => $pass) {
  3.                 if ($_POST[‘username’] == $user && $_POST[‘password’] == $pass) {
  4.                         $_SESSION[‘logged_in’] = ‘true’;
  5.                 }
  6.         }
  7. }

into this:

  1. if($_POST[‘login’]){
  2.         foreach ($users as $user => $pass) {
  3.                 $encrypted_pass = md5($_POST[‘password’]);
  4.                 if ($_POST[‘username’] == $user && $encrypted_pass == $pass) {
  5.                         $_SESSION[‘logged_in’] = ‘true’;
  6.                 }
  7.         }
  8. }

Now lets go over the changes so you should notice I moved the $_POST['password'] into an md5() and am now using a variable to call it. What this is doing is converting whatever the person put into the form section ‘username’ into an md5 string. Remember how I said you could put password1 in multiple times and it would give the same string well that’s how this check will pass. If what the person input in the form matches the password exactly it will have the same md5 string and in turn return a match.

And that is just one way to further strengthen the security of your login forms.

Posted in Tutorials