StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
16496747
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-05-11T11:47:24.750
FavoriteCount
0
LastActivityDate
2013-05-11T11:47:24.750
LastEditDate
LastEditorUserId
0
OwnerUserId
1658328
ParentId
16496503
PostTypeId
2
Score
4
ViewCount
0
LastEditorDisplayName
text
Body
In fact password encryption has nothing in common with mysql injection. You should (MUST!) do theese things separately. Password encryption (or in this case hashing) will make it unable for possible hacker who gained access to your databse to use your users passwords. Hash functions are one way - you can create hash from password, but no password from hash. The only way to get password from hash is to hash every possible combination of chars and check whether this hash equals to this in db. Most uf users uses simple md5() or sha256() functions in php. In fact it works, but the problem with those functions is their simplicity. The were created to calculate check-sums of files, so they must have been fast. Thats why it makes it easier to brute-force. To avoid being brute-forced you can: a) Add 'salt' and keep using md5 / sha256. Salt is a random string added to user password before hashing. You must create additional column in your databse, near 'password' for example. Each user should get random, at least 32 chars long salt. The 'password' field is created using md5(salt . users_password). If you want to check the password on login - get the password and salt fields from databse, get users password from post and compare: md5(salt . user_password_from_post) to 'password' in databse. Even if users password is short it becomes long and complex because of the salt. To crack / brute force all 8-chars password you need only ~80^8 hashes, but to brute force salted 8-chars password you need ~80^40 which is 80^32 times longer. b) use blowfish algorithm <a href="http://php.net/manual/en/function.crypt.php" rel="nofollow">http://php.net/manual/en/function.crypt.php</a> The blowfish was created from the beggining to crypt passwords. You also have to use salt, but you also can specify 'cost' parameter which indicates how complex would be the hash. More complex = more cpu usage on every password check but also more safety. Password secured with blowfish, 16-bytes salt and at least 10 cost are said to be safe. To avoid being sql-injected you should escape every parameter passed to your query. mysql_real_escape_string() becomes your friend. <pre><code>$Query = sprintf("SELECT UserId, Password, Salt FROM Users WHERE Username='%s'", mysql_real_escape_string($_POST['Username'])); mysql_query($Query); </code></pre> If the <pre><code>$_POST['Username'] = "'; DROP TABLE Users; --" </code></pre> your query without escaping would become: <pre><code>"SELECT UserId, Password, Salt FROM Users WHERE Username=''; DROP TABLE Users; --' </code></pre> by this query any user can destroy your database without any problem. With mysql_real_escape_string, query would look loke: <pre><code>"SELECT UserId, Password, Salt FROM Users WHERE Username='\'; DROP TABLE Users; --' </code></pre> Now your database is safe. The complete code for checking password (you should have username(128), password(32), salt(32) in DB): <pre><code>function CheckPassword($Username, $Password) { list($Count) = mysql_fetch_array(mysql_query(sprintf("SELECT COUNT(*) FROM Users WHERE Username='%s'", mysql_real_escape_string($Username)))); if(!$Count) return false; //No such user list($Password_Db, $Salt) = mysql_fetch_array(mysql_query(sprintf("SELECT Password, Salt FROM Users WHERE Username='%s'", mysql_real_escape_string($Username)))); if(md5($Salt . $Password) == $Password_Db) return true; return false; } </code></pre>
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POEncrypt safe password in the mysql database using encryption function
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USpeku33
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.