When you're insering a new password:
INSERT INTO user SET password=PASSWORD('secret'); But you can't retrieve the original password. If a user forgets/looses his/her password, just reset a password with something else, and send him/her that new password And when you want to check an inputted password agains the encrypted one; SELECT * FROM user WHERE login="user_id" AND password=PASSWORD("inserted_password"); ST Ooi wrote: SO: Date: Thu, 13 Dec 2001 07:52:59 +0800 SO: From: ST Ooi <[EMAIL PROTECTED]> SO: To: [EMAIL PROTECTED] SO: Subject: Password encryption SO: SO: How can I encrypt password in database and how can I retrieve the SO: encrypted password? SO: SO: Thanks SO: SO: ST Ooi SO: Malaysia SO: SO: ----- Original Message ----- SO: From: "Dan Nelson" <[EMAIL PROTECTED]> SO: To: "James McLaughlin" <[EMAIL PROTECTED]> SO: Cc: <[EMAIL PROTECTED]> SO: Sent: Thursday, December 13, 2001 7:06 AM SO: Subject: Re: No Database Encryption SO: SO: SO: > In the last episode (Dec 12), James McLaughlin said: SO: > > The new programmer for our company is not using the dataType SO: > > "password" or any encryption what so ever for our user accounts SO: > > (accounts that our customers use for getting into our system) in our SO: > > database. SO: > > SO: > > Instead he is using the VarChar dataType. SO: > > SO: > > Can someone explain to me how I can exploit this and show them it is SO: > > very dangerous. SO: > SO: > It's only dangerous if a customer can trick your web frontend into SO: > displaying the output of "SELECT * FROM USERS", for example. If the SO: > frontend only uses hardcoded queries, or quotes every user-supplied SO: > parameter, there's no problem. In fact, you need the password in SO: > plaintext to support a "I forgot my password; email it to me" feature. SO: > SO: > SO: > -- SO: > Dan Nelson SO: > [EMAIL PROTECTED] SO: > SO: > --------------------------------------------------------------------- SO: > Before posting, please check: SO: > http://www.mysql.com/manual.php (the manual) SO: > http://lists.mysql.com/ (the list archive) SO: > SO: > To request this thread, e-mail <[EMAIL PROTECTED]> SO: > To unsubscribe, e-mail SO: <[EMAIL PROTECTED]> SO: > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php SO: > SO: > SO: SO: SO: --------------------------------------------------------------------- SO: Before posting, please check: SO: http://www.mysql.com/manual.php (the manual) SO: http://lists.mysql.com/ (the list archive) SO: SO: To request this thread, e-mail <[EMAIL PROTECTED]> SO: To unsubscribe, e-mail <[EMAIL PROTECTED]> SO: Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php SO: -- Sherzod Ruzmetov <[EMAIL PROTECTED]> http://www.UltraCgis.com, Consultant 989.774.6265 +----------------------------------------+ | There is nothing wrong with your tools.| | But we can make a better one. | +----------------------------------------+ --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php