1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:36 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Encrypting User Passwords?

         

jtracy

4:24 pm on Feb 27, 2006 (gmt 0)

10+ Year Member



A friend gave me a php script for a traffic exchange to use on my work at home mom resource website, and while going through the admin section I realized that I have access to each and every one of my users passwords! Is there any way this can be changed? I tried deleting that section of code and it didnt affect anything like the "forget password" function and log in, but I allow my users to purchase surf credits from me through paypal and I am unable to add credits to their accounts without their password present, so I had to add that section of code back.

I would really prefer that the password was not visible to me, and at least showed up as ****'s so that the password is still useable when I try to add credits to their accounts, but not visible to me. I know I would not use their passwords for anything unethical, but I feel better knowing I am doing my best to keep my members information protected.

If anyone thinks they can help me, I can show you the script I have so you can see if you can help me fix it.

Thanks
Jessica Tracy

[edited by: coopster at 5:57 pm (utc) on Feb. 27, 2006]
[edit reason] removed url per TOS [webmasterworld.com] [/edit]

coopster

3:34 pm on Feb 28, 2006 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



Welcome to WebmasterWorld, jtracy.

Encrypting passwords is a common and a good practice. You are right, why would you or anybody else ever need to see the plain text password? Typically you will see folks using the md5() [php.net] hash function to *encrypt* the password for storage and this happens when the account is initally setup (added/inserted to the storage file) as well as anytime a password change or update occurs.

Note that since you will be changing it in those two places, you are also going to need to change the code where the authentication occurs, where the user signs in. If the passwords are being stored in plain text today, then the comparison is being done in the same manner. You will need to md5 hash the user-supplied password during login to compare to the md5 value that you will now be storing.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:36 am May 2, 2026