Re: [PHP] MySQL Password Function
On Thu, 6 Nov 2003 09:09:57 -0500, you wrote: >True, true. I actually use MD5() for the same reason, but, really, if >someone has access to the database to read the hashes, odds are they have >access to the rest of the database and your code. So what are you protecting >really? Many people use the same password over multiple sites. A database/OS bug could expose the user table without exposing the rest of the machine. If you have the plaintext password you can impersonate the user and modify data. I would be /very/ uncomfortable if I found that a site I use for anything meaningful stored passwords as plaintext. If nothing else, it's a litmus test of how seriously they take security. (agree about using md5() (sha1() is even better) not password(), though - nobody should be using password(), as the manual points out: http://www.mysql.com/doc/en/Miscellaneous_functions.html) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Shaun wrote: "John Nichel" <[EMAIL PROTECTED]> wrote in message Not that this would make your site more secure (well, I guess it would be more secure than plain text), but just use it in your query INSERT INTO someDB.someTable ( username, password ) VALUES ( '{$username}', PASSWORD('{$password}'); -- By-Tor.com It's all about the Rush http://www.by-tor.com Thank you for your replies, can i just confirm that the user uses the encrypted version of the password or the originally inserted version to login? Thanks for your help Yes, you can. But by the time it has reached the MySQL server, it has passed from the client to your server via plain text, and to my understanding (I may be wrong here), MySQL's built in password function isn't all that secure. For better security, I would suggest a combination of https and md5, or write a custom encryption function. -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
"John Nichel" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Shaun wrote: > > > Hi, > > > > I am trying to make my site more secure, can anyone suggest a tutorial on > > using the mySQL password function with PHP. I can't find anything through > > google... > > > > Thanks for your help > > > > Not that this would make your site more secure (well, I guess it would > be more secure than plain text), but just use it in your query > > INSERT INTO someDB.someTable ( username, password ) VALUES ( > '{$username}', PASSWORD('{$password}'); > > -- > By-Tor.com > It's all about the Rush > http://www.by-tor.com Thank you for your replies, can i just confirm that the user uses the encrypted version of the password or the originally inserted version to login? Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Shaun wrote: Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help Not that this would make your site more secure (well, I guess it would be more secure than plain text), but just use it in your query INSERT INTO someDB.someTable ( username, password ) VALUES ( '{$username}', PASSWORD('{$password}'); -- By-Tor.com It's all about the Rush http://www.by-tor.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
From: "Raditha Dissanayake" <[EMAIL PROTECTED]> > >Oh, and this will do almost NOTHING to make your site more secure. Why do > >you think it will? > > You are partly right about this we had a nice flame war about this very > issue couple of weeks ago on the jabber lists. Anyone interested in the > nitty gritty can google on the jabber archives. I still use the > password() function whenever i can cause i only have to type in about 10 > keystrokes anyhow, the reason is that it will keep other users of the > database from accidentaly seeing passwords that they shouldn't. Since > this is one way hashes it cannot be decoded. Almost any argument that > applies for/against /etc/password would apply to mysql password() as well. True, true. I actually use MD5() for the same reason, but, really, if someone has access to the database to read the hashes, odds are they have access to the rest of the database and your code. So what are you protecting really? In my eyes, it's just another tool to keep honest people honest... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Hi, Oh, and this will do almost NOTHING to make your site more secure. Why do you think it will? ---John Holmes... You are partly right about this we had a nice flame war about this very issue couple of weeks ago on the jabber lists. Anyone interested in the nitty gritty can google on the jabber archives. I still use the password() function whenever i can cause i only have to type in about 10 keystrokes anyhow, the reason is that it will keep other users of the database from accidentaly seeing passwords that they shouldn't. Since this is one way hashes it cannot be decoded. Almost any argument that applies for/against /etc/password would apply to mysql password() as well. -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
From: "Raditha Dissanayake" <[EMAIL PROTECTED]> > From: "Shaun" > >I am trying to make my site more secure, can anyone suggest a tutorial on > >using the mySQL password function with PHP. I can't find anything through > >google... > > it's very simple intead of using > insert into users set userPassword='123'; you say > insert into users set userPassword=password('123'); And the column type should be CHAR(16) or VARCHAR(16), as the result of PASSWORD() is always 16 characters. Oh, and this will do almost NOTHING to make your site more secure. Why do you think it will? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL Password Function
Hi, it's very simple intead of using insert into users set userPassword='123'; you say insert into users set userPassword=password('123'); Shaun wrote: Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help -- Raditha Dissanayake. http://www.radinks.com/sftp/ | http://www.raditha/megaupload/ Lean and mean Secure FTP applet with | Mega Upload - PHP file uploader Graphical User Inteface. Just 150 KB | with progress bar. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MySQL Password Function
Hi, I am trying to make my site more secure, can anyone suggest a tutorial on using the mySQL password function with PHP. I can't find anything through google... Thanks for your help -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] mysql password function
Use this: $result = mysql_query("SELECT PASSWORD(" . $_POST['password'] . ")"); $password = mysql_result($result,0); or just use mysql_fetch_row() or AS in your query so you don't have to recreate that complex column name. ---John Holmes... > -Original Message- > From: Murat Ö. [mailto:[EMAIL PROTECTED]] > Sent: Sunday, September 22, 2002 9:33 AM > To: [EMAIL PROTECTED] > Subject: [PHP] mysql password function > > hi, > i want to encode a string that users enter with mysql password function. > but > sometimes this code works sometimes don't. mysql warns me: > Warning: mysql_fetch_array(): supplied argument is not a valid MySQL > result > resource in > > the code is: > > $result=mysql_query("select password(".$_POST['password'].")"); > while ($p = mysql_fetch_array($result, MYSQL_ASSOC)): > $pswrd=$p['password('.$_POST['password'].')']; > endwhile; > > thanks... > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] mysql password function
hi, i want to encode a string that users enter with mysql password function. but sometimes this code works sometimes don't. mysql warns me: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in the code is: $result=mysql_query("select password(".$_POST['password'].")"); while ($p = mysql_fetch_array($result, MYSQL_ASSOC)): $pswrd=$p['password('.$_POST['password'].')']; endwhile; thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php