If you want to be able to store information encrypted and then decrypt it
later and you use perl see Crypt::CBC and pick an algorythim. The only
trick is that, with blowfish at least, you need a larger field than the
original. Also you must figure out how to hide the key...
On Wed, 12 Dec 2001, sherzodR wrote:
> Date: Wed, 12 Dec 2001 18:42:35 -0600 (CST)
> From: sherzodR <[EMAIL PROTECTED]>
> To: ST Ooi <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: Password encryption
>
>
> When you're insering a new password:
>
> INSERT INTO user SET password=PASSWORD('secret');
>
> But you can't retrieve the original password. If a user forgets/looses
> his/her password, just reset a password with something else, and send
> him/her that new password
>
> And when you want to check an inputted password agains the encrypted one;
>
> SELECT * FROM user WHERE login="user_id" AND
> password=PASSWORD("inserted_password");
>
>
>
> ST Ooi wrote:
>
> SO: Date: Thu, 13 Dec 2001 07:52:59 +0800
> SO: From: ST Ooi <[EMAIL PROTECTED]>
> SO: To: [EMAIL PROTECTED]
> SO: Subject: Password encryption
> SO:
> SO: How can I encrypt password in database and how can I retrieve the
> SO: encrypted password?
> SO:
> SO: Thanks
> SO:
> SO: ST Ooi
> SO: Malaysia
> SO:
> SO: ----- Original Message -----
> SO: From: "Dan Nelson" <[EMAIL PROTECTED]>
> SO: To: "James McLaughlin" <[EMAIL PROTECTED]>
> SO: Cc: <[EMAIL PROTECTED]>
> SO: Sent: Thursday, December 13, 2001 7:06 AM
> SO: Subject: Re: No Database Encryption
> SO:
> SO:
> SO: > In the last episode (Dec 12), James McLaughlin said:
> SO: > > The new programmer for our company is not using the dataType
> SO: > > "password" or any encryption what so ever for our user accounts
> SO: > > (accounts that our customers use for getting into our system) in our
> SO: > > database.
> SO: > >
> SO: > > Instead he is using the VarChar dataType.
> SO: > >
> SO: > > Can someone explain to me how I can exploit this and show them it is
> SO: > > very dangerous.
> SO: >
> SO: > It's only dangerous if a customer can trick your web frontend into
> SO: > displaying the output of "SELECT * FROM USERS", for example. If the
> SO: > frontend only uses hardcoded queries, or quotes every user-supplied
> SO: > parameter, there's no problem. In fact, you need the password in
> SO: > plaintext to support a "I forgot my password; email it to me" feature.
> SO: >
> SO: >
> SO: > --
> SO: > Dan Nelson
> SO: > [EMAIL PROTECTED]
> SO: >
> SO: > ---------------------------------------------------------------------
> SO: > Before posting, please check:
> SO: > http://www.mysql.com/manual.php (the manual)
> SO: > http://lists.mysql.com/ (the list archive)
> SO: >
> SO: > To request this thread, e-mail <[EMAIL PROTECTED]>
> SO: > To unsubscribe, e-mail
> SO: <[EMAIL PROTECTED]>
> SO: > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> SO: >
> SO: >
> SO:
> SO:
> SO: ---------------------------------------------------------------------
> SO: Before posting, please check:
> SO: http://www.mysql.com/manual.php (the manual)
> SO: http://lists.mysql.com/ (the list archive)
> SO:
> SO: To request this thread, e-mail <[EMAIL PROTECTED]>
> SO: To unsubscribe, e-mail
><[EMAIL PROTECTED]>
> SO: Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> SO:
>
> --
> Sherzod Ruzmetov <[EMAIL PROTECTED]>
> http://www.UltraCgis.com, Consultant
> 989.774.6265
> +----------------------------------------+
> | There is nothing wrong with your tools.|
> | But we can make a better one. |
> +----------------------------------------+
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
Sincerely,
William Mussatto, Senior Systems Engineer
CyberStrategies, Inc
ph. 909-920-9154 ext. 27
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
