Results 1 to 7 of 7
  1. #1
    Mike Mike's Avatar
    Join Date
    Dec 2004
    Location
    Rosarito, Mexico
    Posts
    1,396

    Default PHP/SQL encrypt password, send as text

    Hi all,

    I have this little php app running locally on my PC that requests data from a website every hour or so by sending a username and password then recording the response.

    Now I know its not overly secure (doesn't need to be), but I would like to be able to store the password encrypted somehow, either in the PHP or possibly in the SQL database its connected to (its currently stored as open text in one of the PHP files). However I need the PHP to send that password as text as part of the URL string sent to the remote site (that's just how the remote site is set up)

    Basically the URL is something like
    Code:
     https://www.somewebsite.com/?username=myname&password=mypass
    Is it possibly to store the password encrypted (or even just make it harder to read) yet still send it as text as required through the URL? Or is it possible that the remote site would accept it encrypted (remote service is unsupported, so I can't get help at that end)

    Does my question make sense? I'm sick at the moment, so my brain not functioning normally

    Cheers,
    Mike.
    what are you doing looking in here?

  2. #2
    Member
    Join Date
    Jun 2009
    Location
    localhost
    Posts
    59

    Default Re: PHP/SQL encrypt password, send as text

    I would use tokens instead.

    Change the request to
    https://www.somewebsite.com/?accesstoken=abc1234

    On the website, only accept that latest token, and once the request is over, generate a new token which the application then needs to use for the next request.

    This means every time you applications requests, it gets a new token. Doing this all over SSL will also mean your traffic won't be intercepted.

  3. #3
    Where is Metla these days Chilling_Silence's Avatar
    Join Date
    Dec 2004
    Location
    Auckland
    Posts
    17,146

    Default Re: PHP/SQL encrypt password, send as text

    When they create the password, MD5 the string, store it in the database
    When they try to login, take their submitted password, MD5 it, and compare it with the string in the database. If they are ==, then it's the correct password. If not, reject them with a semi-generic and unhelpful error
    I mostly do Bitcoin & DigiByte things these days, feel free to say hi on Twitter: https://twitter.com/dgb_chilling

    Before you ask a question here, or before you get upset by a response, see here:
    http://www.catb.org/~esr/faqs/smart-...ons.html#intro

  4. #4
    Mike Mike's Avatar
    Join Date
    Dec 2004
    Location
    Rosarito, Mexico
    Posts
    1,396

    Default Re: PHP/SQL encrypt password, send as text

    Ummm... I don't think I've explained myself properly I can't control anything on the remote website. I have a PHP app with SQL running locally, which uses the URL to connect to the remote website. The remote website uses username and password in the URL, but I would like my PHP or SQL to store my password encrypted somehow, rather than in plain text within the PHP file. I still need to send the password as text in the URL (can't change that).

    Cheers,
    Mike.
    what are you doing looking in here?

  5. #5
    Gone Erayd's Avatar
    Join Date
    Dec 2004
    Location
    Wellington, NZ
    Posts
    5,761

    Default Re: PHP/SQL encrypt password, send as text

    I assume you realise that this gains you essentially nothing in the way of security?

    If you require reversible encryption for the password, stored locally, and automatically decrypted locally, then the decryption key must also be present. At best, all you're doing is obfuscating the password.

    What you're asking for won't stop any competent attacker from figuring out what your password is.

    Edit: If you genuinely still want to do this, even though it doesn't really gain you anything, take a look at PHP's crypto extensions.

    Chill: The password hashing method you've described is almost criminally negligent these days. Unsalted MD5 hashes are trivially crackable, and generally mean a whole lot of trouble for the poor sods who reuse passwords (which is most of them) if your database is ever compromised.

    Ideally you'd use something like bcrypt, but if that's not possible then at least use decently large unique salts, and a better hashing algorithm - this will prevent cracking via rainbow tables.
    Last edited by Erayd; 24-08-2011 at 03:47 PM.
    If you are interested in reading fanfiction on a mobile device or ebook reader, please visit flagfic.com.

  6. #6
    Mike Mike's Avatar
    Join Date
    Dec 2004
    Location
    Rosarito, Mexico
    Posts
    1,396

    Default Re: PHP/SQL encrypt password, send as text

    Quote Originally Posted by Erayd View Post
    What you're asking for won't stop any competent attacker from figuring out what your password is.

    Edit: If you genuinely still want to do this, even though it doesn't really gain you anything, take a look at PHP's crypto extensions.
    I'm not overly concerned with the unlikely event of a competent hacker on my PC. More concerned with nosey friends and relatives who happen upon my password while going through my files. Just wanting to make it a little trickier for them to obtain it (they'd have to be intentionally looking for it rather than just happen upon it if I can encrypt it somehow)

    I'll take a look at your link.

    Cheers,
    Mike.
    what are you doing looking in here?

  7. #7
    Gone Erayd's Avatar
    Join Date
    Dec 2004
    Location
    Wellington, NZ
    Posts
    5,761

    Default Re: PHP/SQL encrypt password, send as text

    Aaah, I thought you were coming at this from a security perspective. If all you're wanting to do is stop casual snooping of the type you've mentioned above, then it'll do the job just fine.

    I must say though, in your shoes I'd care more about the fact that my friends were digging through my files without permission .
    If you are interested in reading fanfiction on a mobile device or ebook reader, please visit flagfic.com.

Similar Threads

  1. Replies: 3
    Last Post: 26-04-2010, 06:24 PM
  2. Replies: 7
    Last Post: 20-04-2010, 10:33 PM
  3. how to send text from pc?
    By tamra in forum PressF1
    Replies: 10
    Last Post: 02-05-2008, 07:56 PM
  4. Replies: 8
    Last Post: 30-04-2008, 01:03 PM
  5. Send text message from a computer
    By Viv K in forum PressF1
    Replies: 14
    Last Post: 19-07-2006, 10:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •