Hi,
> > > So where does mysql get its salt from? Is it a random salt?
> This confused the hell our of me for around an hour!
> > You should look MySQL manual not C crypt manpage ;). And yes, this is
> > random salt and makes life little bit more secure.
> Ok, so you can obtain a random result (thought that was what random()
> was for), but still cannot understand how this could be usefull.
If you take another look at the man page for the crypt() system call, you'll
notice that it says that "the first two characters represent the salt
itself" when mentioning what constitutes the returned value.
So, given this, you can consistently re-encrypt a string to compare against
the original by taking the first two characters and using them as the salt.
The example below demonstrates this.
mysql> select encrypt('blahblah');
+---------------------+
| encrypt('blahblah') |
+---------------------+
| IIRggo.uD7.Xk |
+---------------------+
1 row in set (0.00 sec)
mysql> select encrypt('blahblah', 'II');
+---------------------------+
| encrypt('blahblah', 'II') |
+---------------------------+
| IIRggo.uD7.Xk |
+---------------------------+
1 row in set (0.00 sec)
> I use
> encrypt to store password info in a database, but how do you compare the
> user entered password with the one in the database if the results vary
> the whole time? Please give me an application for this behaviour and I
> will be happy :-)
In your case, when comparing the password the user has entered against what
is in the database (an encrypted value) you first need to get the first two
characters of what is already in the database for that user. Something along
the lines of this should do the trick:
SELECT * FROM users_table WHERE username = 'johndoe' AND passwd =
ENCRYPT('secretpasswd', LEFT(passwd, 2));
Regards,
Basil Hussain
---------------------------------------
Internet Developer, Kodak Weddings
E-Mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
