When you're insering a new password:
INSERT INTO user SET password=PASSWORD('secret');
But you can't retrieve the original password. If a user forgets/looses
his/her password, just reset a password with something else, and send
him/her that new password
And when you want to check an inputted password agains the encrypted one;
SELECT * FROM user WHERE login="user_id" AND
password=PASSWORD("inserted_password");
ST Ooi wrote:
SO: Date: Thu, 13 Dec 2001 07:52:59 +0800
SO: From: ST Ooi <[EMAIL PROTECTED]>
SO: To: [EMAIL PROTECTED]
SO: Subject: Password encryption
SO:
SO: How can I encrypt password in database and how can I retrieve the
SO: encrypted password?
SO:
SO: Thanks
SO:
SO: ST Ooi
SO: Malaysia
SO:
SO: ----- Original Message -----
SO: From: "Dan Nelson" <[EMAIL PROTECTED]>
SO: To: "James McLaughlin" <[EMAIL PROTECTED]>
SO: Cc: <[EMAIL PROTECTED]>
SO: Sent: Thursday, December 13, 2001 7:06 AM
SO: Subject: Re: No Database Encryption
SO:
SO:
SO: > In the last episode (Dec 12), James McLaughlin said:
SO: > > The new programmer for our company is not using the dataType
SO: > > "password" or any encryption what so ever for our user accounts
SO: > > (accounts that our customers use for getting into our system) in our
SO: > > database.
SO: > >
SO: > > Instead he is using the VarChar dataType.
SO: > >
SO: > > Can someone explain to me how I can exploit this and show them it is
SO: > > very dangerous.
SO: >
SO: > It's only dangerous if a customer can trick your web frontend into
SO: > displaying the output of "SELECT * FROM USERS", for example. If the
SO: > frontend only uses hardcoded queries, or quotes every user-supplied
SO: > parameter, there's no problem. In fact, you need the password in
SO: > plaintext to support a "I forgot my password; email it to me" feature.
SO: >
SO: >
SO: > --
SO: > Dan Nelson
SO: > [EMAIL PROTECTED]
SO: >
SO: > ---------------------------------------------------------------------
SO: > Before posting, please check:
SO: > http://www.mysql.com/manual.php (the manual)
SO: > http://lists.mysql.com/ (the list archive)
SO: >
SO: > To request this thread, e-mail <[EMAIL PROTECTED]>
SO: > To unsubscribe, e-mail
SO: <[EMAIL PROTECTED]>
SO: > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
SO: >
SO: >
SO:
SO:
SO: ---------------------------------------------------------------------
SO: Before posting, please check:
SO: http://www.mysql.com/manual.php (the manual)
SO: http://lists.mysql.com/ (the list archive)
SO:
SO: To request this thread, e-mail <[EMAIL PROTECTED]>
SO: To unsubscribe, e-mail
<[EMAIL PROTECTED]>
SO: Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
SO:
--
Sherzod Ruzmetov <[EMAIL PROTECTED]>
http://www.UltraCgis.com, Consultant
989.774.6265
+----------------------------------------+
| There is nothing wrong with your tools.|
| But we can make a better one. |
+----------------------------------------+
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
