The problem he is addressing is that the password is sent plaintext to the
server before it ever gets to MySQL.
I would suggest using a JavaScript program like this
http://pajhome.org.uk/crypt/md5/md5src.html
and then using the PHP md5 function on the server side and comparing the two
results.
That way the only thing that ever gets transmitted is an md5 hash =P
Sheridan
----- Original Message -----
From: Jeff Bearer <[EMAIL PROTECTED]>
To: Tom Malone <[EMAIL PROTECTED]>
Cc: PHP Users <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 12:17 PM
Subject: Re: [PHP] encryption
> I'd use the password function in mysql to store encrypted passwords, I'd
be interested to hear
> if anyone has a reason that doing this is not a good idea.
>
>
>
> On Thu, Jul 19, 2001 at 12:52:55PM -0400, Tom Malone wrote:
> > Hello!
> >
> > I have a small problem. On my website there is some information I would
like
> > to protect. Right now I am using .htaccess to password-protect the
> > directory, but I was thinking about using php and a form with
> > usernames/passwords in a MySQL database. Thankfully, I read the
following in
> > the manual right before I was about to use the crypt() function to
encrypt
> > my password and compare it to the encrypted hash in the DB:
> >
> > "It seems that a lot of people don't understand the point of using
one-way
> > encryption. More importantly, a lot of web designers forget that PHP
> > encryption is done entirely on the web server, not the client.
> >
> >
> >
> > Point being, if your form has a password input option and the user
clicks
> > SUBMIT, the password is then sent _as plain text_ over the Internet to
the
> > web server where it is then encrypted for comparison against a password
> > database.
> >
> >
> >
> > Do _not_ use these types of functions to add security to a form unless
> > you're using an SSL or TLS (etc.) encrypted session. The only potential
way
> > around this issue is for you to write a JavaScript program that does the
> > hashing on the client side before being sent over the Internet (which
would
> > make this function unnecessary)."
> >
> > I am pretty new to PHP and absolutely clueless as far as
> > encryption/algorithims are concerned. Could anyone possibly point me to
a
> > viable solution for this problem?
> >
> > Thanks in advance!
> >
> > Tom Malone
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
> --
> Jeff Bearer, RHCE
> Webmaster
> PittsburghLIVE.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
