On Wed, 2008-11-12 at 18:58 +0100, Giulio Ferro wrote:
> Jesse Norell wrote:
> > The salt is the full 12 chars, $1$cHk47Kk0$, and it looks like
> > encrypt() already prepends it for you:
> >
> >
> > mysql> select encrypt('hello','$1$cHk47Kk0$');
> > +------------------------------------+
> > | encrypt('hello','$1$cHk47Kk0$') |
> > +------------------------------------+
> > | $1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD. |
> > +------------------------------------+
> > 1 row in set (0.02 sec)
> >
> >
> Thanks, you saved me!
>
>
> As you showed, the mysql crypt functions already build the complete
> string, so
> it's not necessary to concat the parts:
>
> select encrypt('password to verify', 'string in passwd from the first $
> to the last $ included')
And for convenience you can actually use the hash right from the
dbmail_users table without parsing out the salt:
mysql> select encrypt('hello', '$1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD.') as
hash;
+------------------------------------+
| hash |
+------------------------------------+
| $1$cHk47Kk0$TjUIVx0j9o/sZ0kn/IIzD. |
+------------------------------------+
1 row in set (0.00 sec)
> This results, if the check is successful, with the whole passwd field in
> the dbmail_users table.
One other consideration is if you want to do the comparision in the
database at all. The way you have it, your plaintext password is passed
to the database, so if your database connection is susceptible to
sniffing, or you ever enable logging of queries and don't have the log
files secured, you can leak that info. The other route is to just
retrieve the hash from the database and compare it locally (in your
perl/php/whatever app).
--
Jesse Norell
Kentec Communications, Inc.
[EMAIL PROTECTED]
_______________________________________________
DBmail mailing list
[email protected]
https://mailman.fastxs.nl/mailman/listinfo/dbmail
