RE: [PHP-DB] Passwords
>>Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP.> b) every language has a >>crypt function>Then I guess it's okay to have crypt questions/answers on >>"every >language" >list. >Then I guess it's okay to have crypt questions/answers on "every >language" >>list. Only if your "crypt" question relates to this board, PHP and DB. So no not any "crypt" question can be answered here. And being a smart "ass" won't buy you any favours either, or respect or anything. J
Re: [PHP-DB] Passwords
Dwight Altman wrote: Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. b) every language has a crypt function Then I guess it's okay to have crypt questions/answers on "every language" list. Sure whatever, its just this list is specifically about PHP and DB use so PHP's crypt() is pretty much the lamest recommendation since most DB sngines have lots of good encryption and you can use it in your queries. So then they need look in theri DB's documentation for what their type/version offer. At that point it has 100% nothing to do with PHP :) If they just want to crypt() some string for an /etc/passwd type system then they need to post to a PHP basics list not a DB specific one. Not really a big deal but why have specofoc lists if they arn't kept specific :) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
On 3/10/06, Micah Stevens <[EMAIL PROTECTED]> wrote:
> On Friday 10 March 2006 7:09 am, Michael Crute wrote:
> > On 3/10/06, Dusty Bin <[EMAIL PROTECTED]> wrote:
> > > One thing to remember, is that the password function is MySQL's way of
> > > storing passwords for MySQL use, and that may change from one release of
> > > MySQL to another. This happened very recently. If you want to store
> > > application passwords, it is better to use a hash, and be independent of
> > > MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
> > > am not a cryptographer), so I store my password as:
> > >$passwordToBeStored = sha1($password);
> > > and check the password as:
> > >If(sha1($password) == $storedPassword) {
> > >...
> > >}
> > > HTH... Dusty
> >
> > Just a note, I would never compare passwords like that, you should put
> > sha1($password) in your SQL string as a condition and check to see if
> > any rows where returned.
> >
> > -Mike
>
> It doesn't matter if you have an SSL link to the database. :)
Indeed, but why bother with transfering and loading a resultset if you
have no need for it?
-Mike
--
Michael E. Crute
http://mike.crute.org
It is a mistake to think you can solve any major problems just with potatoes.
--Douglas Adams
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
On Friday 10 March 2006 7:09 am, Michael Crute wrote:
> On 3/10/06, Dusty Bin <[EMAIL PROTECTED]> wrote:
> > One thing to remember, is that the password function is MySQL's way of
> > storing passwords for MySQL use, and that may change from one release of
> > MySQL to another. This happened very recently. If you want to store
> > application passwords, it is better to use a hash, and be independent of
> > MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
> > am not a cryptographer), so I store my password as:
> >$passwordToBeStored = sha1($password);
> > and check the password as:
> >If(sha1($password) == $storedPassword) {
> >...
> >}
> > HTH... Dusty
>
> Just a note, I would never compare passwords like that, you should put
> sha1($password) in your SQL string as a condition and check to see if
> any rows where returned.
>
> -Mike
It doesn't matter if you have an SSL link to the database. :)
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords
>>Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a >>PHP list since it has nothing to do with PHP. > b) every language has a crypt function Then I guess it's okay to have crypt questions/answers on "every language" list. -Original Message- From: JupiterHost.Net [mailto:[EMAIL PROTECTED] Sent: Thursday, March 09, 2006 7:07 PM To: php-db@lists.php.net Subject: Re: [PHP-DB] Passwords Bastien Koert wrote: > Not PHP? Correct, not PHP. most DB engines have built in encryption funtions for use in their INSERT (IE "store the password in the DB so that it is encrypted") and SELECT (for verifying it with the same funtion you used in INSERT) > http://us3.php.net/crypt yes "Not PHP": a) crypt() has nothing to do with a query b) every language has a crypt function The question has more to do with a general idea of how to accomplish a task, the most suitable answer to is to be had in their DB documentation, since data should be independant of the language handling it (whether it a real language like C or Perl or a wanna be duct taped hack like PHP - no need for flames, I won't listen or care ;p) -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
On 3/10/06, Dusty Bin <[EMAIL PROTECTED]> wrote:
> One thing to remember, is that the password function is MySQL's way of
> storing passwords for MySQL use, and that may change from one release of
> MySQL to another. This happened very recently. If you want to store
> application passwords, it is better to use a hash, and be independent of
> MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
> am not a cryptographer), so I store my password as:
>$passwordToBeStored = sha1($password);
> and check the password as:
>If(sha1($password) == $storedPassword) {
>...
>}
> HTH... Dusty
Just a note, I would never compare passwords like that, you should put
sha1($password) in your SQL string as a condition and check to see if
any rows where returned.
-Mike
--
Michael E. Crute
http://mike.crute.org
It is a mistake to think you can solve any major problems just with potatoes.
--Douglas Adams
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Kosala Atapattu wrote:
> Hi Ben,
>
>> I have created a user login/registration page. As of now I
>> am using a MySQL database to store the info of the user. To
>> validate the user I also have the password stored in the same
>> DB. I was wondering if there is a way that I can store the
>> password in the DB so that it is encrypted or something.
>> Just so it is not in plain text.
>
> You can use,
>
> SQL> Insert into users_table(user_name, pass_word) values ('your_name',
> PASSWORD('your_pass'));
>
> And crypted password will be saved in the DB
>
> To verify password you can use something like...
>
> SQL> select * from users_table where user_name = 'your_name' and
> pass_word = PASSWORD('your_pass');
>
> If the select query is not empty then user credentials are matching.
>
> As others have suggested PHP crypt functions are useful when you want to
> encrypt data within the DB like credit card details, Company Executives
> Salary and stuff like that. For password encryption the best is MySQL
> inbuilt encryption. MD5 is another I use with PHP, which is not really
> necessary.
>
> Kosala
>
> www.linux.lk/~kosala/
One thing to remember, is that the password function is MySQL's way of
storing passwords for MySQL use, and that may change from one release of
MySQL to another. This happened very recently. If you want to store
application passwords, it is better to use a hash, and be independent of
MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
am not a cryptographer), so I store my password as:
$passwordToBeStored = sha1($password);
and check the password as:
If(sha1($password) == $storedPassword) {
...
}
HTH... Dusty
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords
Hi Ben,
> I have created a user login/registration page. As of now I
> am using a MySQL database to store the info of the user. To
> validate the user I also have the password stored in the same
> DB. I was wondering if there is a way that I can store the
> password in the DB so that it is encrypted or something.
> Just so it is not in plain text.
You can use,
SQL> Insert into users_table(user_name, pass_word) values ('your_name',
PASSWORD('your_pass'));
And crypted password will be saved in the DB
To verify password you can use something like...
SQL> select * from users_table where user_name = 'your_name' and
pass_word = PASSWORD('your_pass');
If the select query is not empty then user credentials are matching.
As others have suggested PHP crypt functions are useful when you want to
encrypt data within the DB like credit card details, Company Executives
Salary and stuff like that. For password encryption the best is MySQL
inbuilt encryption. MD5 is another I use with PHP, which is not really
necessary.
Kosala
www.linux.lk/~kosala/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Merely commenting that its not only DBs that can do the encrypting. Bastien From: "JupiterHost.Net" <[EMAIL PROTECTED]> To: php-db@lists.php.net Subject: Re: [PHP-DB] Passwords Date: Thu, 09 Mar 2006 19:07:11 -0600 Bastien Koert wrote: Not PHP? Correct, not PHP. most DB engines have built in encryption funtions for use in their INSERT (IE "store the password in the DB so that it is encrypted") and SELECT (for verifying it with the same funtion you used in INSERT) http://us3.php.net/crypt yes "Not PHP": a) crypt() has nothing to do with a query b) every language has a crypt function The question has more to do with a general idea of how to accomplish a task, the most suitable answer to is to be had in their DB documentation, since data should be independant of the language handling it (whether it a real language like C or Perl or a wanna be duct taped hack like PHP - no need for flames, I won't listen or care ;p) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Bastien Koert wrote: Not PHP? Correct, not PHP. most DB engines have built in encryption funtions for use in their INSERT (IE "store the password in the DB so that it is encrypted") and SELECT (for verifying it with the same funtion you used in INSERT) http://us3.php.net/crypt yes "Not PHP": a) crypt() has nothing to do with a query b) every language has a crypt function The question has more to do with a general idea of how to accomplish a task, the most suitable answer to is to be had in their DB documentation, since data should be independant of the language handling it (whether it a real language like C or Perl or a wanna be duct taped hack like PHP - no need for flames, I won't listen or care ;p) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Not PHP? http://us3.php.net/crypt Bastien From: "JupiterHost.Net" <[EMAIL PROTECTED]> To: "php-db@lists.php.net" Subject: Re: [PHP-DB] Passwords Date: Thu, 09 Mar 2006 07:23:07 -0600 Benjamin Stambaugh wrote: Hi, I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Benjamin Stambaugh wrote: Hi, I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP list since it has nothing to do with PHP. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords
I tend to use a hash value (like MD5) to one way encrypt it... If you combine it with a salt value (some random string that is consistent in the app) then is reasonably secure from being hacked...ex. $salt = '1234567890'; $pass = md5($salt.$_POST['password']); bastien From: Benjamin Stambaugh <[EMAIL PROTECTED]> To: "php-db@lists.php.net" Subject: [PHP-DB] Passwords Date: Wed, 08 Mar 2006 18:34:25 -0500 Hi, I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Ben -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Of course. Check out any of MySQL's encryption functions. Make sure that you use the same function and parameters for both the registration and the login or else the login will never work. Larry -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Passwords
Hi, I have created a user login/registration page. As of now I am using a MySQL database to store the info of the user. To validate the user I also have the password stored in the same DB. I was wondering if there is a way that I can store the password in the DB so that it is encrypted or something. Just so it is not in plain text. Ben -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Passwords in MySQL for a PHP site
Yeah I read that after I had posted this -Original Message- From: John Holmes [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:04 AM To: Dylan Barber Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Passwords in MySQL for a PHP site Dylan Barber wrote: > I am building a security script and am wondering what should I do to enable > a user to recover his/her password if they forget it. I currently use > PASSWORD() when inserting the password into the database so I don't know how > to send them a unhashed string. > > Can someone direct me to an example or give me a few ideas! Quote from MySQL manual: "Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application." Your application should reset the password to some random value for the user rather than giving them their original back and force them to change it the next time they log on. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals - www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords in MySQL for a PHP site
Dylan Barber wrote: I am building a security script and am wondering what should I do to enable a user to recover his/her password if they forget it. I currently use PASSWORD() when inserting the password into the database so I don't know how to send them a unhashed string. Can someone direct me to an example or give me a few ideas! Quote from MySQL manual: "Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application." Your application should reset the password to some random value for the user rather than giving them their original back and force them to change it the next time they log on. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals – www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Passwords in MySQL for a PHP site
I am building a security script and am wondering what should I do to enable a user to recover his/her password if they forget it. I currently use PASSWORD() when inserting the password into the database so I don't know how to send them a unhashed string. Can someone direct me to an example or give me a few ideas! \ Thanks Dylan Barber
RE: [PHP-DB] Passwords
Basically you need first to authorise the user. Check the username and
password against an entry in a user table in the database.
If you are using sessions set a variable that makes the session authorised,
you are not using sessions then you need some sort of session management. (I
have the code, contact me off list if you want it )
if(login ok) $authorised = 1;
At the beginning of any page you want protected
if(!$authorised) die ('you are not authorised to view this page etc etc');
will do the trick
regards
Peter
---
Excellence in internet and open source software
---
Sunmaia
www.sunmaia.net
[EMAIL PROTECTED]
tel. 0121-242-1473
---
> -Original Message-
> From: Achilles Maroulis [mailto:[EMAIL PROTECTED]]
> Sent: 08 December 2001 08:10
> To: PHP mailing list
> Subject: [PHP-DB] Passwords
>
>
> Hi folks.
>
> I have a quetion for you which maybe a little silly as I'm still
> new here..
> I want to build a database in which access will have only
> registered memebers, so I need to protect it. The database will
> have over 10 records and hopefully over 1000 users-visitors.
> Everyone of them is going to have his own password. I suppose I
> will have to build a table with usernames and encrypted passwords
> but what I don't know is how to protect the pages not to be seen
> without authorization. At first I thought about the .htaccess and
> .htpasswd files but I'm not sure yet...
> Can anyone suggest the best way to protect my database? If it is
> to complicated to be explained in an email please suggest just
> the functions names and I'll try to find the way...
>
> Thanx
> Achilles
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Passwords
Thanx guys!! -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Passwords
Hi folks. I have a quetion for you which maybe a little silly as I'm still new here.. I want to build a database in which access will have only registered memebers, so I need to protect it. The database will have over 10 records and hopefully over 1000 users-visitors. Everyone of them is going to have his own password. I suppose I will have to build a table with usernames and encrypted passwords but what I don't know is how to protect the pages not to be seen without authorization. At first I thought about the .htaccess and .htpasswd files but I'm not sure yet... Can anyone suggest the best way to protect my database? If it is to complicated to be explained in an email please suggest just the functions names and I'll try to find the way... Thanx Achilles
