i've made a complete - working register/login system for android, everything is over the air and server sided database, the problem is that right now my password is being saved directly into the DB ( with no ecnryption ) and i've searched tons of websites and SoF posts and threads but nothing actually helped me.
i read about md5 and sha1 , blowfish and bcrypt but couldn't understand the proper implementation of such crytography..
the connection is made using php requests. the register code is below :
if($_SERVER['REQUEST_METHOD']=='POST'){
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$Firstname = $_POST['fname'];
$Lastname = $_POST['lname'];
$Date = $_POST['Date'];
require_once('db_config.php');
$check_username_email = "SELECT * FROM Users WHERE Username ='$username' AND Email = '$email'";
$check_u_e = mysqli_fetch_array(mysqli_query($db,$check_username_email));
$check_username = "SELECT * FROM Users WHERE Username ='$username'";
$check_u = mysqli_fetch_array(mysqli_query($db,$check_username));
$check_email = "SELECT * FROM Users WHERE Email ='$email'";
$check_e = mysqli_fetch_array(mysqli_query($db,$check_email));
if(isset($check_u_e)){
echo 'Username AND Email already exist, please change them Both.';
}
else if(isset($check_u)){
echo 'Username already exists, please change it.';
}
else if (isset($check_e)){
echo 'Email already exists, please change it.';
} else{
$sql = "INSERT INTO Users(Email,Username,Bio,Password,Fname,Lname,Regiser_Date) VALUES ('$email','$username',NULL,'$password','$Firstname','$Lastname','$Date')";
if(mysqli_query($db,$sql)){
echo "You have been successfully Registered";
} else{
echo "Sorry, something went wrong - Try again.";
}
}
}else{
echo 'Server error - Please try again later.';
mysqli_close($db);
}
and my login is here :
if($_SERVER['REQUEST_METHOD']=='POST'){
$username = $_POST['username'];
$password = $_POST['password'];
require_once('db_config.php');
$sql = "SELECT * FROM Users WHERE Username = '$username' AND Password = '$password'";
$result = mysqli_query($db,$sql);
$check = mysqli_fetch_array($result);
if(isset($check)){
echo 'Logged In';
}
else{
echo 'Failed to login';
}
}
everything is fine except the encrytion. Can someone guide me through this ? i read that it needs 2 sides, one from client ( android app ) and one from php server side