Re: What's the syntax for using ENCODE()?

Wed, 28 Feb 2001 18:13:28 -0800 


(second try, I had some magic words in this that set off the spam filter...)

Just as a general security note, make sure that you are not logging these SQL 
commands somewhere...  If you have entries like:

         INSERT INTO my_table (blah, blah, blah) VALUES 
                 (ENCODE('password','someval'...)...

you can just read the update log to find them.   If you have full logging 
enabled, you will see the SELECT statements that pull back the encrypted 
data.  Both will give any casual reader the password for the encryption.  
This is generally considered to be a bad thing :-)

Either turn off logging entirely (not really a good idea), do the 
encryption/decryption outside the database code (a much better idea), or turn 
off logging just for these statements with the SET LOG... stuff.  The 
privileges are a little tricky to set up for the latter.  I don't remember 
what they are off the top of my head.

I much prefer doing the encryption somewhere else.  That way, an accident 
with database configuration won't leave all your nice encryption passwords 
sitting around in a plaintext file.

Cr#dit c#rds are a very valuable and easy to use form of money.  They are 
widely prized by thieves for these reasons.  They have strong economic 
incentives to hack your database or pay off your people or dig in your 
garbage for printouts of log files.  Cr#dit c#rd numbers do not belong to 
you, so there are all kinds of interesting legal issues that come up if you 
are responsible for leaking them.

Best,
Kyle

-- 
Kyle Hayes
Quicknet Technologies              t: +1 415 864 5225
520 Townsend St. Suite D          f: +1 415 864 8388
San Francisco, CA 94103         w: http://www.quicknet.net
USA

*******************************************************************************
"HEAR THE DIFFERENCE" with a live MICROTELCO demo at:
Computer Telephony EXPO, Mar 6-8, Los Angeles, CA

MicroTelco is a revolutionary service that brings multiple Internet
Telephony Service Providers (ITSPs) together in a convenient,
simple to use account center for greater reliability and flexibility.
For more information visit: http://www.microtelco.com.

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to