------------------------------------------------
On Thu, 13 Feb 2003 20:57:05 -0800 (PST), Patricia Hinman <[EMAIL PROTECTED]> wrote:
> OOPS mistake corrected
> > I did stumble across a method call to a cryption()
> -------wrong crypt() is the method ------
>
> I have just discovered it is a unix function. It
> doesn't decrypt. One must always crypt user input then
> check for equality.
> if (crypt ($guess, $pass) eq $pass) {
> # guess is correct
> }
>
> I guess that means I can't use it on my Win98 box. I
> was really hoping for a platform independant method.
>
Is there a reason why this isn't able to work in your environment (assuming crypt
works on windows, which someone stated it would)? In general passwords should not be
stored as readable text *ever* despite the contrary being used on an overly popular
OS. In general, the only problem this introduces, is rather than sending someone their
password, you simply create them a new one, send that to them and ask them to change
it again. You do not want to start messing with encryption unless it is a core feature
of what you are trying to do (aka I am employed to develop an encryption application,
it makes up 50% of what our app does, so I have to concentrate on it, otherwise I
wouldn't).
As an aside, you mentioned .htpasswd in another message. .htpasswd has the ability to
store passwords in an encrypted format (MD5 hash or using the crypt() method), this
may be the easiest method to use, aka let apache handle the whole thing. Most likely
it is better than anything you (or I, that is a royal you) could write.
http://httpd.apache.org/docs-2.0/programs/htpasswd.html
(adjust for your version of apache)
Some databases also provide a specific field for passwords that handles all of the
crypting, and verifying for you automagically, check with your db docs if you are
using one.
http://danconia.org
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
