How to change your DB from md5 to sha1

[Dayo]

Just recently i was asked, `how would i go about changing my existing DB password field from md5 to sha1` at first i thought it would involve loads of work but i came up with this work around ...

Here is how i would do it ... please note you will have to edit the values in the sql to match your DB

Right first of all were going to need another password field in our DB

[mysql]ALTER TABLE `usertable` ADD `oldpass` VARCHAR( 255 ) NOT NULL[/mysql]

now we have that we will need to transfer all the passwords from the old PW field to the `oldpass` feild

[mysql]UPDATE `usertable` SET `oldpass`=`userpassfield`[/mysql]

Then run this SQL to remove them from the old field (the soon to be sha1)

[mysql]UPDATE `usertable` SET `userpassfield`=''[/mysql]

Now thats all the sql sorted out!

Now open your register then find the query that inserts the password to the DB and edit teh md5 to sha1

You will not have to open your login handler then find the query that selects the password from the DB then make edit it to something like this

mysql_query("SELECT * FROM `usertable` WHERE `usernamefield`='".mysql_real_escape_string($_POST['username'])."' AND (`userpassfield`='".sha1($_POST['password'])."' OR `oldpass`='".md5($_POST['password'])."')");

What this will do is look for the username and the users password weather it is from the OLD md5 or the new sha1

Now we need to make a new file called `newpass.php`

<?php

include 'your_connect_file.php';


// Add your header here

// We have to check if the user is still using there old MD5 Password (Please edit $user[''] to what ever varable you use)
if (!empty($user['oldpass'])) {
// We check if the form is submited
if (!empty($_POST['submit'])) {
// Now we check if all the values are entered
if (empty($_POST['old']) || empty($_POST['new']) || empty($_POST['cnew'])  || $_POST['cnew']!=$_POST['new']) { echo 'You need to add all values ot the passwords didnt match! [url="'.basename($_SERVER['SCRIPT_FILENAME']).'"]Back.[/url]'; 
} else {
// If they are we have to check the old md5 password against what they inputed (Again please edit $user if need be)
if ($user['oldpass']!=md5($_POST['old'])) { echo 'The submited password was incorect! [url="'.basename($_SERVER['SCRIPT_FILENAME']).'"]Back.[/url]'; } else {
// Now lets update the users details (again please edit SQL to match your DB aswell as the $user varable)
echo 'Thank you your password is now updated!';
mysql_query("UPDATE `usertable` SET `userpassfield`=".sha1($_POST['cnew']).", `oldpass`='' WHERE `usersid`=".$user['usersid']);
} 

}
} else {
// If the form isnt submited show it!
echo '
We are incresing security on this website, to do this we need you to create a new password please enter it in below!

<form id="form1" name="form1" method="post" action="#">
 <label>
Old Password: <input name="old" type="password" id="old" />
 </label>


 <label>
New Password:  <input name="new" type="password" id="new" />
 </label>


 <label>
Confirm Password: <input name="cnew" type="password" id="cnew" />
 </label>


 <label>
 <input type="submit" name="Submit" value="Submit" />
 </label>
</form>
';
}

}


// Add your footer here

?>

then in a global file (file shown on all logedin pages) add this (above any html code)

if (!empty($user['oldpass'])) {header("Location:newpass.php");}

then you are done! :thumbsup:

NOTE: This is a far from working script you have to alter it to fit your DB/Site :thumbup:

[Dominion]

nice work i assume with a small edit you do not have to use sha1 :)

[Dayo]

two edits in my post (not sure how many in your register page)