PHP-and-MySQL/C4/MD5-Encryption/English
From Script | Spoken-Tutorial
Time | Narration |
---|---|
0:00 | Hello. If your concerned about php security, then this tutorial will take you through the MD5 function. |
0:09 | Its a predefined function that converts a string to a MD5 hash and allows you to secure your data. |
0:16 | The MD5 hash uses a one way out rhythm so it cannot be decrypted - it can only be encrypted. |
0:21 | The only way to find out an MD5 hash is to convert a string to an MD5 hash as well and compare it to a string that has already been converted to a hash. |
0:31 | If you don't know what i mean I'll be going through it in this tutorial. |
0:38 | I'll start by predefining a string that's going to be my password. |
0:45 | I'll call it 'user password' and that will have the value 'abc'. |
0:55 | Next I'll create a new variable called 'user password e n c' which stands for encryption and I'll define my MD5 functions, which is basically m,d and 5. |
1:09 | Anything can go in here so you can give anything that you want to encrypt in here |
1:13 | But for now I'll encrypt my user password variable that we defined up here. |
1:18 | And if we just echo this out, you can see that we get our...., |
1:27 | our value of our MD5 encrypted script which is this. |
1:32 | You can see that it starts with nine hundred and I think there are around 20 common characters here |
1:39 | But whatever I change the value to, this is pretty much going to stay the same length. |
1:44 | The only thing that will change is the content. |
1:52 | So we have an encrypted string whereby the hash you see here is equal to 'abc'. |
2:00 | Now I'll make a program here quickly or a script that's going to take an input from the user and it will check to see if the password is 'abc'. |
2:10 | Now the way we can do it traditionally is by taking out our encryption. |
2:17 | We can do a simple check to say if the post password is equal to our user password then do something otherwise do something else. |
2:29 | So for example you can have an error saying 'incorrect password' and here you can say 'your password has successfully matched the user password'. |
2:38 | But when we are taking into account data that we are either having in post variables or are contained in the data base,... |
2:45 | This value may have been instructed from the data base and data bases can be broken into unfortunately. |
2:51 | Therefore if a data base can be broken into you will want every password belonging to your users to be encrypted, so that they are much harder to find. |
3:04 | Obviously, 'abc' will be an easy one to break into as the turn goes because abc will be a common password. |
3:12 | By converting 'abc' to a MD5 hash you can compare it to a MD5 hash already stored in your data base and if these two hashes match then they'll know that the MD5 hash equals 'abc', as they had already hashed just to start with. |
3:29 | Anyway what we'll do is we'll be taking this value here - our user password encrypted - and we'll compare our posted password to our encrypted password. |
3:47 | Now what we actually need to do is to be able to compare 'user password enc' |
3:55 | This as it stands is encrypted and this posted password as it stands is not encrypted. |
4:01 | So if you take the MD5 hash of the posted password and compare that to the MD5 hash of the stored password, we can let our user know if they've entered the correct or right password. |
4:14 | So I'll say if the MD5 hash of a posted password is equal to the MD5 hash of the stored password, which is here, this is the variable we're using here, then we can display the correct message or we can display an error message. |
4:33 | And if they do match then I'll say clear this script and write 'correct' otherwise I'll just kill the script and say 'incorrect'. |
4:48 | At the moment we can't compare these because we haven't posted any variables |
4:53 | Down here I'll create a form. |
4:57 | Method is also going to be POST because we're using the post method up here |
5:01 | And the action is going to be my page that is currently on which is 'MD5 dot php'. |
5:08 | Next I'll just create two elements of this which is an input text box and I'll give the name of password. |
5:14 | The only reason I'm using this as type text is so you can see the content otherwise you can give it a password to blank out the characters. |
5:22 | Next, I'll have an input box and this will say, lets just say log in for now because this is a typical use for an MD5 encryption which would be a log-in script. |
5:34 | When I refresh my page you can see 'incorrect' at the moment. |
5:38 | That's because we're not checking for our post variable. |
5:41 | Here i could just say if password exists then we can echo out all this code and we can indent this to make it more readable. Let me get this back here. |
6:00 | Okay so if our password has been submitted,which means this form has been submitted with this value then we are saying "Does the MD5 hash of the encrypted password that is the password entered in the form, which is our post variable over here, equal the hash of the password stored?" |
6:18 | So we're dealing with encrypted data in this if statement here. |
6:23 | If it is matching then we can display this otherwise we can display 'incorrect'. So lets refresh that again. |
6:29 | Now my password is 'abc' so if I type 'Alex' as my password, you can see we get an 'incorrect' error message. |
6:37 | If we type 'abc' as our password, which is correct, you can see we get a 'correct' message |
6:43 | Just to give you an idea of the content what I can do here is I can say echo and I can say 'compared' and lets take our user password - in fact, NO - lets take our encrypted password. |
7:07 | So compare 'user password enc' to - I'll just concatenate on that and the posted password |
7:14 | We want all of it to be encrypted so here I'll type MD5. |
7:20 | The best way to do this is to create a new variable up here saying, MD5 - cut this - so 'enc' or 'submitted enc' equals that. |
7:37 | Then we can just replace our variables in here so it makes it a bit more....,a bit more fluent. |
7:49 | It doesn't make it work any better or any less. |
7:56 | But here when we choose 'abc' and we click log in and we have got an error. |
8:01 | Lets come back and check..... and it's because we need to put these in curly brackets since we've got two lines of code here. |
8:16 | Lets go back, click back, choose 'abc' and we are comparing this here to this here. |
8:26 | Lets just beak it up here so we can see whats going on. |
8:34 | Okay so we've compared this here to this here. |
8:38 | You can see they're exactly the same MD5 hash, however this here is the stored password and this is the password that we've submitted. |
8:46 | So you can see that we're checking our submitted encrypted to our stored encrypted. |
8:51 | This has many uses, you can use it in data bases when you are registering a user in a data base, encrypt the password then store it. |
8:59 | If your checking in a log in form for a password, encrypt the password the users entered in the log in form and check that to the encrypted password at the data base. |
9:08 | So you can see that this has lots if uses and it's really easy to declare. You just need have an MD5 function here. |
9:16 | That's all you really need to know now on MD functions and how to use them and how to apply them to your forms. |
9:23 | Okay thanks for watching. |
9:26 | I have some other security tutorials that are coming up so look out for those. Bye. |
9:29 | This is Joshua Mathew dubbing for the Spoken Tutorial Project. |