02-15-2008, 03:13 PM
|
#34 (permalink)
|
|
The Acquainted
Join Date: Nov 2007
Posts: 154
Thanks: 31
|
Quote:
Originally Posted by StevenF
There's something going on here. I've encrypted the password like above:
PHP Code:
$md5reg_password = mysql_real_escape_string($_POST['reg_password']);
Then again in the query:
PHP Code:
user_pass = "'.md5($reg_password).'",
|
Two important things here: - The first assignment is not 'encrypting' the value, it's simply escaping it.
- More importantly, $md5reg_password != $reg_password
As to the comments whether to use SHA1 or MD5, etc. It's all relative. MD5 is fine for a 'test' login system. Use a CHAR(32) column and store the hash value. IIRC, I already mentioned the plausibility of using other hash types in this thread.
The important factor is continuity in the application, as it appears you've found. Hash the password, store the hash. Hash the password, compare against the stored hash.
BTW, here's my take on the SQL statement
PHP Code:
$query = "INSERT INTO users SET
user_name = '{$reg_username}'
, email = '{$reg_email}'
, user_pass = MD5('{$reg_password}')
, user_pass_conf = '{$reg_pass_conf}'
";
Simplify your life. Don't escape the string, use double quotes and allow them to evaluate the variable values. Use MySQL's MD5() (or SHA1() function) inside the statement. As with everything, take it for what it's worth. ;)
__________________
I reject your reality, and substitute my own.
|
|
|
|