MySqli Authentication: How to Convert Text Password to Encrypted Password

I have a MySqli generated user authentication login system which currently uses text passwords.
1. I would like to add a new field to the DB table for an encrypted password and then update each user's password as encrypted. How do I input into this this field via an update form using the appropriate security such as "crypt" ?
2. With forgot password I would like to then be able to e-mail a link for the user to update their password.
3. Can I adapt my current login system or should I start over from scratch?

First you would have to update your login and user update page to make sure they save an encrypted value in the database. I'd probably create a copy of the existing pages and edit them to get that working.

Then you can work on updating the login page to work with the newly registered users.

Then the final step would be to create the update password page and send out the emails to the existing users to update their passwords. Make sure your forgot password page uses the same reset password logic for users that might miss the email.

I wouldn't start from scratch, but it isn't a small amount of work to pull off with all of the pages effected.

I need to build a new log-in system based on existing users. The issue I have is that I have three sections of our website that require a log-in and I have three different user tables. As some of the users have access to one or more sections, they have to log-in to each section separately. I would like to create just one table that manages all the passwords for all of the sections. I assume I can join the tables via the e-mail address field.

So I have created a new table that is already populated with existing user data.
If I add a new user, or update an existing user how do I add a new encrypted password - for example to the following insert code?

And, is there an advantage to use "crypt" instead or "hash" to encrypt the password?

$InsertQuery->bindColumn("new_password", "s", "".((isset($_POST["new_password"]))?$_POST["new_password"]:"") ."", "WA_DEFAULT");

Thanks

You would just wrap the second reference to $_POST["new_password"] with the encryption function you want to use, like:

$InsertQuery->bindColumn("new_password", "s", "".((isset($_POST["new_password"]))?hash("sha256", $_POST["new_password"]):"") ."", "WA_DEFAULT");

Thanks, Ray. I have the PW encryption working!

I will probably need a premium support ticket on this. However, I have tried to update one of my log-in forms by joining the new table with an existing table using the common email address. However, I am getting "There is an error in your SQL syntax" when I try to log-in. So something is not right.

sa_user is my new table
class_admin is the data table I need to access
and
sa_password is the new encrypted password
class_email and sa_email are identical in both tables

Thanks for any help.
-----------------------------


<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$Authenticate = new WA_MySQLi_Auth($mysqli2);
$Authenticate->Action = "authenticate";
$Authenticate->Name = "user";
$Authenticate->Table = "sa_user";
$Authenticate->addFilter("sa_password", "=", "s", "".((isset($_POST["sa_password"]))?$_POST["sa_password"]:"") ."");
$Authenticate->addFilter("class_email", "=", "s", "".((isset($_POST["class_email"]))?$_POST["class_email"]:"") ."");
$Authenticate->storeResult("class_admin_id", "class_admin_id");
$Authenticate->AutoReturn = false;
$SuccessRedirect = "en/index.php";
$FailedRedirect = "log_in_failed_en.php";
if (function_exists("rel2abs")) $SuccessRedirect = $SuccessRedirect?rel2abs($SuccessRedirect,dirname(__FILE__)):"";
if (function_exists("rel2abs")) $FailedRedirect = $FailedRedirect?rel2abs($FailedRedirect,dirname(__FILE__)):"";
$Authenticate->SuccessRedirect = $SuccessRedirect;
$Authenticate->FailRedirect = $FailedRedirect;
$Authenticate->execute();
}?>
<?php
$rsMarket = new WA_MySQLi_RS("rsMarket",$mysqli2,1);
$rsMarket->setQuery("SELECT * FROM class_admin INNER JOIN sa_users ON class_email = sa_email WHERE class_admin_id = ?");
$rsMarket->bindParam("i", "".(isset($_GET['class_admin_id'])?$_GET['class_admin_id']:"") ."", "-1"); //colname
$rsMarket->execute();
?>

That usually means a column name is wrong. You can turn on debugging in your rsobj.php file and it may give you a better error.

So far no luck with deciphering the Syntax error.

So I decided to test the encrypted password on an existing table where I added a new PW field: sa_password and then I updated a record with an encrypted password.

Using the same log-in page with the same MySQli authentication code and which I also changed the input form field name from member_password to sa_password

This code works using the password as pure text:

$Authenticate->addFilter("member_email", "=", "s", "".((isset($_POST["member_email"]))?$_POST["member_email"]:"") ."");
$Authenticate->addFilter("member_password", "=", "s", "".((isset($_POST["member_password"]))?$_POST["member_password"]:"") ."");

but this code using the new encrypted password does not:

$Authenticate->addFilter("member_email", "=", "s", "".((isset($_POST["member_email"]))?$_POST["member_email"]:"") ."");
$Authenticate->addFilter("sa_password", "=", "s", "".((isset($_POST["sa_password"]))?$_POST["sa_password"]:"") ."");

Does something else need to be changed in order for the encrypted password to be recognized?

Yes, you would have to encrypt the password in the authenticate server behavior as well so you are comparing encrypted value to encrypted value. Currently you are looking up an unencrypted value.

Thanks Ray,

I now have it working with this code:

$Authenticate->addFilter ("sa_password", "=", "s", "".((isset($_POST["sa_password"]))?hash("sha256", $_POST["sa_password"]):"") ."");