you can use md5() which will create an encrypted string that cannot be encrypted, or you can use something like base64_encode() which has the inverse base64_decode, that way you have an encrypted string in the database but if for example a user loses their password, instead of setting a new one, you can retrieve the old one. This of course won't be as secure, but anyone that gains access to your db will not be looking at the real password and will have to know to decrypt it using base64_decode().
hope that's informational, -ApexEleven -- -------------------------------------------------------------->> Jasper Howard :: Database Administration Velocity7 1.530.470.9292 http://www.Velocity7.com/ <<-------------------------------------------------------------- "Aaron Todd" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I have developed a PHP based site that requires users to login. Their login > information is kept in a MYSQL database. Currently, I am using an IF > statement to verify what the user enters as their password with what is in > the the database. If they are the same a session is created and they have > access to the content of the site. > > As far as I know the password is being sent to the script in clear text and > I was wondering what a good way would be to get this to be encrypted. My > first thought is to encrypt the password in the database using crypt(). So > if I view the table I will see the encrypted characters. Then change the IF > statement to encrypt the password that the user enters and then just check > if its the same as what is in the database. That sounds like the same as I > am doing now only instead of checking a password that is a name, its > checking the encrypted characters of the name. > > So it seems my idea would hide the real characters. > > Can anyone tell me if this is a bad idea. And maybe point me toward a good > one. > > Thanks, > > Aaron -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
