PHP-and-MySQL/C4/MD5-Encryption/English-timed
From Script | Spoken-Tutorial
Time | Narration |
00:00 | Hello. If your concerned about php security, then this tutorial will take you through the MD5 function. |
00:09 | It's a predefined function that converts a string to a MD5 hash and allows you to secure your data. |
00:16 | The 'MD5 hash' uses a one way out rhythm so it cannot be decrypted; it can only be encrypted. |
00:21 | The only way to find out an 'MD5 hash' is to convert a string to an 'MD5 hash' as well and compare it to a string that has already been converted to a hash. |
00:31 | If you don't know what I mean, I'll be going through it in this tutorial. |
00:38 | I'll start by predefining a string that's going to be my password. |
00:45 | I'll call it $user password and that will have the value "abc". |
00:55 | Next I'll create a new variable called '$user password e n c' which stands for encryption and I'll define my 'MD5' functions which is basically m,d and 5. |
01:09 | Anything can go in here so you can give anything that you want to encrypt in here. |
01:13 | But for now I'll encrypt my $user password variable that we defined up here. |
01:18 | And if we just echo this out, you can see that we get our...., |
01:27 | value of our 'MD5' encrypted script which is this. |
01:32 | You can see that it starts with nine hundred and I think there are around 20 common characters here. |
01:39 | But whatever I change the value to, this is pretty much going to stay the same length. |
01:44 | The only thing that will change is the content. |
01:52 | So, we have an encrypted string whereby the hash you see here is equal to 'abc'. |
02:00 | Now I'll make a program here quickly or a script that's going to take an input from the user and it will check to see if the password is 'abc'. |
02:10 | Now the way we can do it traditionally is by taking out our encryption. |
02:17 | We can do a simple check to say if the POST password is equal to our $user password then do something otherwise do something else. |
02:29 | So, for example, you can have an error saying 'incorrect password' and here you can say 'your password has successfully matched the user password'. |
02:38 | So when we are taking into account data that we are either having in POST variables or are contained in the database,... |
02:45 | this value may have been instructed from the database and databases can be broken into unfortunately. |
02:51 | Therefore if a database can be broken into, you will want every password belonging to your users to be encrypted, so that they are much harder to find. |
03:04 | Obviously, 'abc' will be an easy one to break into as the turn goes because abc will be a common password. |
03:12 | By converting 'abc' to a MD5 hash you can compare it to a MD5 hash already stored in your database and if these two hashes match then they'll know that the MD5 hash equals 'abc', as they had already hashed just to start with. |
03:29 | Anyway, what we'll do is we'll be taking this value here - our 'user password encrypted' - and we'll compare our posted password to our encrypted password. |
03:47 | Now what we actually need to do is to be able to compare $user password enc |
03:55 | This, as it stands, is encrypted and this posted password as it stands is not encrypted. |
04:01 | So, if you take the MD5 hash of the posted password and compare that to the MD5 hash of the stored password, we can let our user know if they've entered the correct or right password. |
04:14 | So I'll say, if the MD5 hash of a posted password is equal to the MD5 hash of the stored password, which is here, this is the variable we're using here, then we can display the correct message or we can display an error message. |
04:33 | And if they do match then I'll say clear this script and write "Correct" otherwise I'll just kill the script and say "Incorrect". |
04:48 | At the moment, we can't compare these because we haven't posted any variables. |
04:53 | Down here I'll create a form. |
04:57 | Method is also going to be POST because we're using the POST method up here. |
05:01 | And the action is going to be my page that is currently on which is 'md5 dot php'. |
05:08 | Next I'll just create two elements of this which is an input text box and I'll give the name of 'password'. |
05:14 | The only reason I'm using this as type 'text' is - you can see the content otherwise you can give it a 'password' to blank out the characters. |
05:22 | Next, I'll have an input box and this will say, let's just say, 'Login' for now because this is a typical use for an MD5 encryption which would be a log-in script. |
05:34 | When I refresh my page you can see Incorrect at the moment. |
05:38 | That's because we're not checking for our POST variable. |
05:41 | Here I could just say if 'password' exists then we can echo out all this code and we can indent this to make it more readable. Let me get this back here. |
06:00 | Okay, so if our 'password' has been submitted which means this form has been submitted with this value then we are saying "Does the MD5 hash of the encrypted password that is the password entered in the form which is our POST variable over here, equal the hash of the password stored"? |
06:18 | So, we're dealing with encrypted data in this if statement here. |
06:23 | If it is matching then we can display this, otherwise we can display "Incorrect". So let's refresh that again. |
06:29 | Now my password is 'abc'. So, if I type 'Alex' as my password, you can see we get an 'Incorrect' error message. |
06:37 | If we type 'abc' as our password, which is correct, you can see we get a "Correct" message. |
06:43 | Just to give you an idea of the content what I can do here is I can say echo and I can say "compared" and let's take our '$user password' - in fact, NO - let's take our encrypted password. |
07:07 | So compare "$user password enc to" - I'll just concatenate on that and the posted 'password'. |
07:14 | We want all of it to be encrypted so here I'll type 'md5'. |
07:20 | The best way to do this is to create a new variable up here saying 'md5' - cut this - so 'enc' or '$submitted enc' equals that. |
07:37 | Then we can just replace our variable in here so it makes it a bit more....,a bit more fluent. |
07:49 | It doesn't make it work any better or any less. |
07:56 | But here when we choose 'abc' and we click Login and we have got an error. |
08:01 | Let's come back and check..... and it's because we need to put these in curly brackets since we've got two lines of code here. |
08:16 | Let's go back, click back, choose 'abc' and we are comparing this here, to this here. |
08:26 | Let's just break it up here, so we can see what's going on. |
08:34 | Okay, so we've compared this here to this here. |
08:38 | You can see they're exactly the same MD5 hash. However, this here is the stored password and this is the password that we've submitted. |
08:46 | So, you can see that we're checking our submitted encrypted to our stored encrypted. |
08:51 | This has many uses, you can use it in databases when you are registering a user in a data base, encrypt the password then store it. |
08:59 | If you are checking in a log-in form for a password, encrypt the password the users entered in the log-in form and check that to the encrypted password at the database. |
09:08 | So, you can see that this has lots of uses and it's really easy to declare. You just need have an md5() function here. |
09:16 | That's all you really need to know now on MD5 functions and how to use them and how to apply them to your forms. |
09:23 | Okay, thanks for watching. |
09:26 | I have some other security tutorials that are coming up; so look out for those. Bye. |
09:29 | This is Joshua Mathew, dubbing for the Spoken Tutorial Project. |