At 19:51 +0200 8/11/02, Benjamin Pflugmann wrote:
>Hi.
>
>On Sun 2002-08-11 at 12:07:47 -0500, [EMAIL PROTECTED] wrote:
>> At 9:25 -0700 8/11/02, Michael Collins wrote:
>[...]
>> >SELECT * FROM MYDB
>> >WHERE EmailAddress=$EmailEntered AND
>> >DECODE(LoginPassword,'MySalt')=$PasswordEntered
>>
Hi.
On Sun 2002-08-11 at 12:07:47 -0500, [EMAIL PROTECTED] wrote:
> At 9:25 -0700 8/11/02, Michael Collins wrote:
[...]
> >SELECT * FROM MYDB
> >WHERE EmailAddress=$EmailEntered AND
> >DECODE(LoginPassword,'MySalt')=$PasswordEntered
>
> If you write the query like that, yes, it will use a compl
At 12:07 PM -0500 8/11/02, Paul DuBois wrote:
>If you write the query like that, yes, it will use a complete scan.
>But you could also use
>
>... AND LoginPassword = ENCODE($PasswordEntered,'MySalt')
>
>which doesn't perform a calculation on the LoginPassword column and thus
>can use an index. Th
At 9:25 -0700 8/11/02, Michael Collins wrote:
>I want to securely store a value that is used as a password to log
>someone into a Web application. I also want to be able to allow the
>user to search for their email address and have their password sent
>back to them (in readable form). Encrypt,
At 9:54 AM -0700 8/11/02, Mike Wexler wrote:
>>I would think that using the SQL shown would require a table scan,
>>meaning that each and every record in the visitors table must be
>>examined, the LoginPassword decoded and compared. There is also no
>>way to index this field. I do not think thi
An easier (and more secure) way, surely, is to use one-way encryption... and
if a user forgets his/her password, replace it with a random alphanumeric
string and mail that to them instead with instructions to change it to one
of their own choosing as soon as possible.
Mike
- Original Messag
