you can use the password() mysql function to crypt it.
you cannot retrieve the encrypted password -- only compare input (password() the input) against the saved encrypted password. if the resulting text matches, the password is good. if not, the authentication in your application should fail. -tcl. On Thu, 13 Dec 2001, ST Ooi wrote: > How can I encrypt password in database and how can I retrieve the > encrypted password? > > Thanks > > ST Ooi > Malaysia > > ----- Original Message ----- > From: "Dan Nelson" <[EMAIL PROTECTED]> > To: "James McLaughlin" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Thursday, December 13, 2001 7:06 AM > Subject: Re: No Database Encryption > > > > In the last episode (Dec 12), James McLaughlin said: > > > The new programmer for our company is not using the dataType > > > "password" or any encryption what so ever for our user accounts > > > (accounts that our customers use for getting into our system) in our > > > database. > > > > > > Instead he is using the VarChar dataType. > > > > > > Can someone explain to me how I can exploit this and show them it is > > > very dangerous. > > > > It's only dangerous if a customer can trick your web frontend into > > displaying the output of "SELECT * FROM USERS", for example. If the > > frontend only uses hardcoded queries, or quotes every user-supplied > > parameter, there's no problem. In fact, you need the password in > > plaintext to support a "I forgot my password; email it to me" feature. > > > > > > -- > > Dan Nelson > > [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail > <[EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > > > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
