Tony Stark Tony Stark - 4 months ago 23
SQL Question

What to modify in this php for no password encryption

Problem:

I have a login/registration app which stores password in encrypted form on MySQL server database. I want to have no encryption in the user password for future recovery. This PHP is not made by me neither I have that expertise to edit it. If you guys can help how to remove encryption in this so that I can see password of users in database. Novice here.

P.S- I don't want users credentials for any misuse. I tried many methods of providing a password recovery system to the users but nothing worked. So I want to keep password visible to me in database so that if someone request for his/her password I should be able to provide them.

<?php
class DB_Functions
{
private $db;

//put your code here
// constructor
function __construct() {
require_once 'DB_Connect.php';
// connecting to database
$this->db = new DB_Connect();
$this->db->connect();
}

// destructor
function __destruct() {

}

/**
* Storing new user
* returns user details
*/
public function storeUser($name, $email, $password, $number) {
$uuid = uniqid('', true);
$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt
$result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$encrypted_password', '$number', '$salt', NOW())");
// check for successful store
if ($result) {
// get user details
$uid = mysql_insert_id(); // last inserted id
$result = mysql_query("SELECT * FROM users WHERE uid = $uid");
// return user details
return mysql_fetch_array($result);
} else {
return false;
}
}

/**
* Get user by email and password
*/
public function getUserByEmailAndPassword($email, $password) {
$result = mysql_query("SELECT * FROM users WHERE email = '$email'") or die(mysql_error());
// check for result
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
$result = mysql_fetch_array($result);
$salt = $result['salt'];
$encrypted_password = $result['encrypted_password'];
$hash = $this->checkhashSSHA($salt, $password);
// check for password equality
if ($encrypted_password == $hash) {
// user authentication details are correct
return $result;
}
} else {
// user not found
return false;
}
}

/**
* Check user is existed or not
*/
public function isUserExisted($email) {
$result = mysql_query("SELECT email from users WHERE email = '$email'");
$no_of_rows = mysql_num_rows($result);
if ($no_of_rows > 0) {
// user existed
return true;
} else {
// user not existed
return false;
}
}

/**
* Encrypting password
* @param password
* returns salt and encrypted password
*/
public function hashSSHA($password) {

$salt = sha1(rand());
$salt = substr($salt, 0, 10);
$encrypted = base64_encode(sha1($password . $salt, true) . $salt);
$hash = array("salt" => $salt, "encrypted" => $encrypted);
return $hash;
}

/**
* Decrypting password
* @param salt, password
* returns hash string
*/
public function checkhashSSHA($salt, $password) {

$hash = base64_encode(sha1($password . $salt, true) . $salt);

return $hash;
}} ?>

Answer

Function storeUser using for save record to database And you can see this line

$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"]; // encrypted password
$salt = $hash["salt"]; // salt

If you don't want save encrypted password just modify

$result = mysql_query("INSERT INTO users(unique_id, name, email, encrypted_password, number, salt, created_at) VALUES('$uuid', '$name', '$email', '$password', '$number', '$salt', NOW())");

P/s: I'm not recommend using this method to save password. This's bad solution. Please try to encrypt password and if user want to reset. Just give them one link do it by email.