Are you asking for the database to encrypt the password, PHP to store a crypted version of the password and check the user supplied version against the stored version, or something else?

Also how strong do you want the encryption?
As you could store an md5 (sha1 if you have that, as this takes longer to crack) hash of the password, then compair the md5/sha1 hash of the user supplied password to the hash in the database. Or are you actually after a proper 2 way encryption?
[uk.php.net...] is the mycrypt documentation if you are after proper encryption.

I'm not quite sure what you mean, but having designed several security systems in the past...

There are a few key points in implementing password security, especially where databases are involved. I won't get into everything here, but this should at least get you started.

First off, ALWAYS encrypt passwords with one-way, irreversible hashes. Based on your question, this is what you're wanting to do anyway, but it bears repeating. You should never, for any reason whatsoever, have to decrypt a password. Because of this, functions like md5 and sha1 should be your preferred methods of encryption.

In addition, encrypt the password the instant it reaches your code. No sense allowing someone to possibly log plaintext passwords as they pass through your page--and passwords are for comparison only; they shouldn't ever need to have any operation but encryption performed on them.

Thirdly, there's no need whatsoever to pull the password out of the database. Ever.

Fourth, encrypting passwords 2-3 times is preferable when using md5 and sha1, as these algorithms both have flaws that could allow a hacker with some time to compromise them.

With PHP 5, the hash() function becomes available, giving you more advanced forms of encryption, but again, it's still better to do at least two layers of encryption.

Taking these items into account, we could have something like this:

//Connect to DB in whatever fashion necessary here
$con = mysql_connect();

//Escape username string--if this is not done, the user could log in simply by entering ' OR 1=1--
$username = mysql_real_escape_string( $_POST["username"] );
$password = sha1( md5( sha1( $_POST["password"] ) ) );

$res = mysql_query( "SELECT COUNT(*) AS logged_in FROM users WHERE username = '".$username."' AND password = '".$password."'", $con );
$row = mysql_fetch_assoc( $res );

if ( $row["logged_in"] > 0 )
{
//User is logged in
}
else
{
//User is not logged in
}

[edited by: WesleyC at 7:27 pm (utc) on Aug. 15, 2007]

maybe look at this
[phpsec.org...]

wow thanks. i learned a lot!