How can I encrypt password in database and how can I retrieve the encrypted password?
Thanks ST Ooi Malaysia ----- Original Message ----- From: "Dan Nelson" <[EMAIL PROTECTED]> To: "James McLaughlin" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, December 13, 2001 7:06 AM Subject: Re: No Database Encryption > In the last episode (Dec 12), James McLaughlin said: > > The new programmer for our company is not using the dataType > > "password" or any encryption what so ever for our user accounts > > (accounts that our customers use for getting into our system) in our > > database. > > > > Instead he is using the VarChar dataType. > > > > Can someone explain to me how I can exploit this and show them it is > > very dangerous. > > It's only dangerous if a customer can trick your web frontend into > displaying the output of "SELECT * FROM USERS", for example. If the > frontend only uses hardcoded queries, or quotes every user-supplied > parameter, there's no problem. In fact, you need the password in > plaintext to support a "I forgot my password; email it to me" feature. > > > -- > Dan Nelson > [EMAIL PROTECTED] > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
