Kevin Murphy wrote:
Yup, that's got it. It didn't occur to me that its a MySQL thing.... I'm used to doing this as a PHP thing and inserting an already encrypted password into MySQL.

Anyone have any thoughts one way or another as to if this mysql password function is better/worse than doing it all in PHP?

You're becoming reliant on mysql to do it all which means it would be a pain to port this to another database (may or may not be a problem, no idea).


You're actually sending the password across the wire in plain text in the sql query - that is php is sending password('your_password') to the mysql server. Not a problem if it's localhost but if it's a remote db server there is a possibility of it being captured (sniffer). If you encode it in php, you're sending across the hash (password='hashed_value_here').


Mysql passwords have changed between versions and may change again.

http://dev.mysql.com/doc/refman/5.1/en/password-hashing.html

Prior to MySQL 4.1, password hashes computed by the PASSWORD() function are 16 bytes long.

As of MySQL 4.1, the PASSWORD() function has been modified to produce a longer 41-byte hash value


The last one is probably the most important one.

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to