----- Original Message -----
From: "sivsenxml_3969"
Hi all,
I have a problem in encrypt and decrypt. I have created a database for
user registration using mysql. In that i have get the password from
the registration form and encrypt that using password() function in
mysql and stored the value in database. Again i am retrieving the
password from the database and i want to decrypt that.
Please send me the suggestions to solve this problem.
Thanks
Nathan
----------------------------
Hi Nathan,
The normal practice is to encrypt the password before it is
stored in the database and when someone is trying to authorise against it
you encrypt their password and compare it to what is in the database.
If you can decrypt the password in the database then anyone else can to so
there would be no point to encrypting it.
The mysqls function password() and the php function MD5() are not intended
to be reversed and it will take an average PC weeks to do the number
crunching to reverse them.
The algorithm for the mysql function password() has changed in the past
leaving developers with a headache of compatibility issues for older
encrypted passwords. I always use the php function md5() instead as it's
algorithm is specified and cannot change.
Reversible encryption requires public and private keys and the whole
security of the system relies on the security of the private key. You server
most likely has this feature installed as this is used for SSL/HTTPS secure
server encrypted pages.
If you are using HTTP (not SSL/HTTPS) then a hash of a private string and
the password is as good as you can get ie -
$secretkey = "ïj3dwouhe9848";
$databasepassword = md5($secretkey . $password);
IF you are storing things like credit card details then you really should be
using SSL/HTTPS and the situation becomes more complex. In this situation I
use more Apache directives as there more secure and tested than scripts one
would write. I also split the index and password onto different servers and
have the Apache on one server set so that it will only respond to the IP
address of the first server. This does slightly slow a page load when
authenticating but there after a session variable can hold the result.
If you need more information then please give us a good idea of the security
required for the data so that we can focus on a response what is suitable to
your needs.
Thank you, Rob M.
PS: The $secretkey above should be at least 13 characters due to the md5
algorithm.
