$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
.'\'))';

I use this solution because md5 run faster in Mysql

On Wed, Jul 8, 2009 at 10:28 AM, Andrew Ballard<aball...@gmail.com> wrote:
> On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Peters<mpet...@mac.com> wrote:
>> Carl Furst wrote:
>>
>>>
>>> <?
>>> $salt = 'someglobalsaltstring'; # the salt should be the same salt used
>>> when storing passwords to your database otherwise it won't work
>>> $passwd = crypt($_GET['passwd'], $salt);
>>
>> I personally use the username and the salt.
>> That way two users with identical passwords have different hashes.
>>
>> With large databases, many users will have the same password, there are some
>> that are just commonly used. The hackers know what they are, and if they get
>> your hash dump, they try their list of commonly used passwords against the
>> user names that have the common hashes.
>>
>> By using the username as part of the salt, you avoid that issue because
>> identical passwords will have different hashes.
>>
>> It does mean the password has to be reset if you allow them to change their
>> login name.
>>
>
> The password does not need to be reset. You could require that they
> provide the password again (even though they are already
> authenticated) on the same form with the new username. Then you can do
> the same encrypt/compare that you do for authentication, and if it
> matches you just update the username and the hash at the same time.
>
> Andrew
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



-- 
Martin Scotta

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to