I'd use the password function in mysql to store encrypted passwords, I'd be
interested to hear
if anyone has a reason that doing this is not a good idea.
On Thu, Jul 19, 2001 at 12:52:55PM -0400, Tom Malone wrote:
> Hello!
>
> I have a small problem. On my website there is some information I would like
> to protect. Right now I am using .htaccess to password-protect the
> directory, but I was thinking about using php and a form with
> usernames/passwords in a MySQL database. Thankfully, I read the following in
> the manual right before I was about to use the crypt() function to encrypt
> my password and compare it to the encrypted hash in the DB:
>
> "It seems that a lot of people don't understand the point of using one-way
> encryption. More importantly, a lot of web designers forget that PHP
> encryption is done entirely on the web server, not the client.
>
>
>
> Point being, if your form has a password input option and the user clicks
> SUBMIT, the password is then sent _as plain text_ over the Internet to the
> web server where it is then encrypted for comparison against a password
> database.
>
>
>
> Do _not_ use these types of functions to add security to a form unless
> you're using an SSL or TLS (etc.) encrypted session. The only potential way
> around this issue is for you to write a JavaScript program that does the
> hashing on the client side before being sent over the Internet (which would
> make this function unnecessary)."
>
> I am pretty new to PHP and absolutely clueless as far as
> encryption/algorithims are concerned. Could anyone possibly point me to a
> viable solution for this problem?
>
> Thanks in advance!
>
> Tom Malone
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
Jeff Bearer, RHCE
Webmaster
PittsburghLIVE.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]