RE: [PHP-DB] Passwords
snip Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. b) every language has a crypt functionThen I guess it's okay to have crypt questions/answers on every language list. /snip quote Then I guess it's okay to have crypt questions/answers on every language list. /quote Only if your crypt question relates to this board, PHP and DB. So no not any crypt question can be answered here. And being a smart ass won't buy you any favours either, or respect or anything. J
Re: [PHP-DB] Passwords
Kosala Atapattu wrote:
Hi Ben,
I have created a user login/registration page. As of now I
am using a MySQL database to store the info of the user. To
validate the user I also have the password stored in the same
DB. I was wondering if there is a way that I can store the
password in the DB so that it is encrypted or something.
Just so it is not in plain text.
You can use,
SQL Insert into users_table(user_name, pass_word) values ('your_name',
PASSWORD('your_pass'));
And crypted password will be saved in the DB
To verify password you can use something like...
SQL select * from users_table where user_name = 'your_name' and
pass_word = PASSWORD('your_pass');
If the select query is not empty then user credentials are matching.
As others have suggested PHP crypt functions are useful when you want to
encrypt data within the DB like credit card details, Company Executives
Salary and stuff like that. For password encryption the best is MySQL
inbuilt encryption. MD5 is another I use with PHP, which is not really
necessary.
Kosala
www.linux.lk/~kosala/
One thing to remember, is that the password function is MySQL's way of
storing passwords for MySQL use, and that may change from one release of
MySQL to another. This happened very recently. If you want to store
application passwords, it is better to use a hash, and be independent of
MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
am not a cryptographer), so I store my password as:
$passwordToBeStored = sha1($password);
and check the password as:
If(sha1($password) == $storedPassword) {
...
}
HTH... Dusty
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
On 3/10/06, Dusty Bin [EMAIL PROTECTED] wrote:
One thing to remember, is that the password function is MySQL's way of
storing passwords for MySQL use, and that may change from one release of
MySQL to another. This happened very recently. If you want to store
application passwords, it is better to use a hash, and be independent of
MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
am not a cryptographer), so I store my password as:
$passwordToBeStored = sha1($password);
and check the password as:
If(sha1($password) == $storedPassword) {
...
}
HTH... Dusty
Just a note, I would never compare passwords like that, you should put
sha1($password) in your SQL string as a condition and check to see if
any rows where returned.
-Mike
--
Michael E. Crute
http://mike.crute.org
It is a mistake to think you can solve any major problems just with potatoes.
--Douglas Adams
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords
Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. b) every language has a crypt function Then I guess it's okay to have crypt questions/answers on every language list. -Original Message- From: JupiterHost.Net [mailto:[EMAIL PROTECTED] Sent: Thursday, March 09, 2006 7:07 PM To: php-db@lists.php.net Subject: Re: [PHP-DB] Passwords Bastien Koert wrote: Not PHP? Correct, not PHP. most DB engines have built in encryption funtions for use in their INSERT (IE store the password in the DB so that it is encrypted) and SELECT (for verifying it with the same funtion you used in INSERT) http://us3.php.net/crypt yes Not PHP: a) crypt() has nothing to do with a query b) every language has a crypt function The question has more to do with a general idea of how to accomplish a task, the most suitable answer to is to be had in their DB documentation, since data should be independant of the language handling it (whether it a real language like C or Perl or a wanna be duct taped hack like PHP - no need for flames, I won't listen or care ;p) -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
On Friday 10 March 2006 7:09 am, Michael Crute wrote:
On 3/10/06, Dusty Bin [EMAIL PROTECTED] wrote:
One thing to remember, is that the password function is MySQL's way of
storing passwords for MySQL use, and that may change from one release of
MySQL to another. This happened very recently. If you want to store
application passwords, it is better to use a hash, and be independent of
MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
am not a cryptographer), so I store my password as:
$passwordToBeStored = sha1($password);
and check the password as:
If(sha1($password) == $storedPassword) {
...
}
HTH... Dusty
Just a note, I would never compare passwords like that, you should put
sha1($password) in your SQL string as a condition and check to see if
any rows where returned.
-Mike
It doesn't matter if you have an SSL link to the database. :)
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
On 3/10/06, Micah Stevens [EMAIL PROTECTED] wrote:
On Friday 10 March 2006 7:09 am, Michael Crute wrote:
On 3/10/06, Dusty Bin [EMAIL PROTECTED] wrote:
One thing to remember, is that the password function is MySQL's way of
storing passwords for MySQL use, and that may change from one release of
MySQL to another. This happened very recently. If you want to store
application passwords, it is better to use a hash, and be independent of
MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
am not a cryptographer), so I store my password as:
$passwordToBeStored = sha1($password);
and check the password as:
If(sha1($password) == $storedPassword) {
...
}
HTH... Dusty
Just a note, I would never compare passwords like that, you should put
sha1($password) in your SQL string as a condition and check to see if
any rows where returned.
-Mike
It doesn't matter if you have an SSL link to the database. :)
Indeed, but why bother with transfering and loading a resultset if you
have no need for it?
-Mike
--
Michael E. Crute
http://mike.crute.org
It is a mistake to think you can solve any major problems just with potatoes.
--Douglas Adams
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Dwight Altman wrote: Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. b) every language has a crypt function Then I guess it's okay to have crypt questions/answers on every language list. Sure whatever, its just this list is specifically about PHP and DB use so PHP's crypt() is pretty much the lamest recommendation since most DB sngines have lots of good encryption and you can use it in your queries. So then they need look in theri DB's documentation for what their type/version offer. At that point it has 100% nothing to do with PHP :) If they just want to crypt() some string for an /etc/passwd type system then they need to post to a PHP basics list not a DB specific one. Not really a big deal but why have specofoc lists if they arn't kept specific :) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Benjamin Stambaugh wrote: Hi, I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Not PHP? http://us3.php.net/crypt Bastien From: JupiterHost.Net [EMAIL PROTECTED] To: php-db@lists.php.net php-db@lists.php.net Subject: Re: [PHP-DB] Passwords Date: Thu, 09 Mar 2006 07:23:07 -0600 Benjamin Stambaugh wrote: Hi, I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Merely commenting that its not only DBs that can do the encrypting. Bastien From: JupiterHost.Net [EMAIL PROTECTED] To: php-db@lists.php.net Subject: Re: [PHP-DB] Passwords Date: Thu, 09 Mar 2006 19:07:11 -0600 Bastien Koert wrote: Not PHP? Correct, not PHP. most DB engines have built in encryption funtions for use in their INSERT (IE store the password in the DB so that it is encrypted) and SELECT (for verifying it with the same funtion you used in INSERT) http://us3.php.net/crypt yes Not PHP: a) crypt() has nothing to do with a query b) every language has a crypt function The question has more to do with a general idea of how to accomplish a task, the most suitable answer to is to be had in their DB documentation, since data should be independant of the language handling it (whether it a real language like C or Perl or a wanna be duct taped hack like PHP - no need for flames, I won't listen or care ;p) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords
Hi Ben,
I have created a user login/registration page. As of now I
am using a MySQL database to store the info of the user. To
validate the user I also have the password stored in the same
DB. I was wondering if there is a way that I can store the
password in the DB so that it is encrypted or something.
Just so it is not in plain text.
You can use,
SQL Insert into users_table(user_name, pass_word) values ('your_name',
PASSWORD('your_pass'));
And crypted password will be saved in the DB
To verify password you can use something like...
SQL select * from users_table where user_name = 'your_name' and
pass_word = PASSWORD('your_pass');
If the select query is not empty then user credentials are matching.
As others have suggested PHP crypt functions are useful when you want to
encrypt data within the DB like credit card details, Company Executives
Salary and stuff like that. For password encryption the best is MySQL
inbuilt encryption. MD5 is another I use with PHP, which is not really
necessary.
Kosala
www.linux.lk/~kosala/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Of course. Check out any of MySQL's encryption functions. Make sure that you use the same function and parameters for both the registration and the login or else the login will never work. Larry -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords
I tend to use a hash value (like MD5) to one way encrypt it... If you combine it with a salt value (some random string that is consistent in the app) then is reasonably secure from being hacked...ex. $salt = '1234567890'; $pass = md5($salt.$_POST['password']); bastien From: Benjamin Stambaugh [EMAIL PROTECTED] To: php-db@lists.php.net php-db@lists.php.net Subject: [PHP-DB] Passwords Date: Wed, 08 Mar 2006 18:34:25 -0500 Hi, I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Ben -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords in MySQL for a PHP site
Dylan Barber wrote: I am building a security script and am wondering what should I do to enable a user to recover his/her password if they forget it. I currently use PASSWORD() when inserting the password into the database so I don't know how to send them a unhashed string. Can someone direct me to an example or give me a few ideas! Quote from MySQL manual: Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application. Your application should reset the password to some random value for the user rather than giving them their original back and force them to change it the next time they log on. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords in MySQL for a PHP site
Yeah I read that after I had posted this -Original Message- From: John Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:04 AM To: Dylan Barber Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Passwords in MySQL for a PHP site Dylan Barber wrote: I am building a security script and am wondering what should I do to enable a user to recover his/her password if they forget it. I currently use PASSWORD() when inserting the password into the database so I don't know how to send them a unhashed string. Can someone direct me to an example or give me a few ideas! Quote from MySQL manual: Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application. Your application should reset the password to some random value for the user rather than giving them their original back and force them to change it the next time they log on. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals - www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Thanx guys!! -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
