what am I doing wrong in the password script
 

Hi All,

I am a beginner lvl prgmr

I am trying to fire a query to the user table in the database. My goal is to display the value of password as "Orig text", as the passwords are encrypted in the database table.

What am I doing wrong? Can you take a look at the line 14
"$password2 = md5(md5($pass['password']) . $pass['salt']); " Is this correct?
I am unable to show the passwords in simple text.

I am running vBulletin 3.68

<?php
mysql_connect("your.hostaddress.com", "username", "password") or die(mysql_error());
mysql_select_db("Database_Name") or die(mysql_error());

$data = mysql_query("SELECT * FROM user")
or die(mysql_error());
Print "<table border cellpadding=3>";
while($pass = mysql_fetch_array( $data ))
{
Print "<tr>";
Print "<th>UserName:</th> <td>".$pass['username'] . "</td> ";

$password2 = md5(md5($pass['password']) . $pass['salt']);
Print "<th>As stored in db</th> <td>".$pass['password'] . "</td> ";
Print "<th>Clear text password:</th> <td>".$password2. "</td> ";

Print "<th>salt:</th> <td>".$pass['salt'] . " </td></tr>";
}
Print "</table>";
?>

Tx in advance

You said it yourself- the passwords are encrypted and cannot be show in plain text.

Ok, I understand that since they are encrypted, the passwords cant be seen in "Orig Text". So is the encryption taking place at the MySql server level or is it in php?

sorry, am a newbie in php, hence these kinda questions ;)

In php. the md5 function is used to encrypt the password, which is then saved in the database. To check the user's password when they log in, it's md5ed and then that hash is compared with what's stored in the database.

Got it. That makes a sense.
Tx much

but for my general knowledge purposes, if you use something to encrypt, isnt there something else to decrypt it?

Or is the whole concept of decrypting a whole different science?

By default, the passwords are sent to the server hashed once. So not even the server knows the plain-text.

The correct terminology is actually "hash" instead of "encrypt". Although encrypt is widely used and regarded as correct anyway. MD5 is a "one-way" hash, there are ways to retrieve the original text, but in no way is it "decrypting".

There are ways to try and guess the original text - but you can never be sure, because all they do is try and find text that generates the same hash, it may not actually be the same text you end up with (in the case of passwords that doesn't really matter of course, as long as it works).

Thank you all very much.

This has been very useful session for me.