Passwords

------=_NextPart_000_0086_01C17FD0.8784B170
Content-Type: text/plain;
charset="iso-8859-7"
Content-Transfer-Encoding: quoted-printable

Hi folks.

I have a quetion for you which maybe a little silly as I'm still new =
here..
I want to build a database in which access will have only registered =
memebers, so I need to protect it. The database will have over 100000 =
records and hopefully over 1000 users-visitors. Everyone of them is =
going to have his own password. I suppose I will have to build a table =
with usernames and encrypted passwords but what I don't know is how to =
protect the pages not to be seen without authorization. At first I =
thought about the .htaccess and .htpasswd files but I'm not sure yet...
Can anyone suggest the best way to protect my database? If it is to =
complicated to be explained in an email please suggest just the =
functions names and I'll try to find the way...

Thanx
Achilles

------=_NextPart_000_0086_01C17FD0.8784B170--

Re: Passwords

Thanx guys!!


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Passwords

Basically you need first to authorise the user. Check the username and
password against an entry in a user table in the database.

If you are using sessions set a variable that makes the session authorised,
you are not using sessions then you need some sort of session management. (I
have the code, contact me off list if you want it )

if(login ok) $authorised = 1;

At the beginning of any page you want protected

if(!$authorised) die ('you are not authorised to view this page etc etc');

will do the trick

regards

Peter
-----------------------------------------------
Excellence in internet and open source software
-----------------------------------------------
Sunmaia
www.sunmaia.net
info@sunmaia.net
tel. 0121-242-1473
-----------------------------------------------

> -----Original Message-----
> From: Achilles Maroulis [mailto:amar@aias.gr]
> Sent: 08 December 2001 08:10
> To: PHP mailing list
> Subject: [PHP-DB] Passwords
>
>
> Hi folks.
>
> I have a quetion for you which maybe a little silly as I'm still
> new here..
> I want to build a database in which access will have only
> registered memebers, so I need to protect it. The database will
> have over 100000 records and hopefully over 1000 users-visitors.
> Everyone of them is going to have his own password. I suppose I
> will have to build a table with usernames and encrypted passwords
> but what I don't know is how to protect the pages not to be seen
> without authorization. At first I thought about the .htaccess and
> .htpasswd files but I'm not sure yet...
> Can anyone suggest the best way to protect my database? If it is
> to complicated to be explained in an email please suggest just
> the functions names and I'll try to find the way...
>
> Thanx
> Achilles
>


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Passwords

------_=_NextPart_001_01C643FE.04D11475
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi Ben,

> I have created a user login/registration page. As of now I=20
> am using a MySQL database to store the info of the user. To=20
> validate the user I also have the password stored in the same=20
> DB. I was wondering if there is a way that I can store the=20
> password in the DB so that it is encrypted or something. =20
> Just so it is not in plain text.

You can use,=20

SQL> Insert into users_table(user_name, pass_word) values ('your_name',
PASSWORD('your_pass'));

And crypted password will be saved in the DB

To verify password you can use something like...

SQL> select * from users_table where user_name =3D 'your_name' and
pass_word =3D PASSWORD('your_pass');

If the select query is not empty then user credentials are matching.

As others have suggested PHP crypt functions are useful when you want to
encrypt data within the DB like credit card details, Company Executives
Salary and stuff like that. For password encryption the best is MySQL
inbuilt encryption. MD5 is another I use with PHP, which is not really
necessary.

Kosala

www.linux.lk/~kosala/


------_=_NextPart_001_01C643FE.04D11475
Content-Type: text/plain; charset=us-ascii

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
------_=_NextPart_001_01C643FE.04D11475--

Re: Passwords

Kosala Atapattu wrote:
> Hi Ben,
>
>> I have created a user login/registration page. As of now I
>> am using a MySQL database to store the info of the user. To
>> validate the user I also have the password stored in the same
>> DB. I was wondering if there is a way that I can store the
>> password in the DB so that it is encrypted or something.
>> Just so it is not in plain text.
>
> You can use,
>
> SQL> Insert into users_table(user_name, pass_word) values ('your_name',
> PASSWORD('your_pass'));
>
> And crypted password will be saved in the DB
>
> To verify password you can use something like...
>
> SQL> select * from users_table where user_name = 'your_name' and
> pass_word = PASSWORD('your_pass');
>
> If the select query is not empty then user credentials are matching.
>
> As others have suggested PHP crypt functions are useful when you want to
> encrypt data within the DB like credit card details, Company Executives
> Salary and stuff like that. For password encryption the best is MySQL
> inbuilt encryption. MD5 is another I use with PHP, which is not really
> necessary.
>
> Kosala
>
> www.linux.lk/~kosala/
One thing to remember, is that the password function is MySQL's way of
storing passwords for MySQL use, and that may change from one release of
MySQL to another. This happened very recently. If you want to store
application passwords, it is better to use a hash, and be independent of
MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
am not a cryptographer), so I store my password as:
$passwordToBeStored = sha1($password);
and check the password as:
If(sha1($password) == $storedPassword) {
...
}
HTH... Dusty

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

On 3/10/06, Dusty Bin wrote:
> One thing to remember, is that the password function is MySQL's way of
> storing passwords for MySQL use, and that may change from one release of
> MySQL to another. This happened very recently. If you want to store
> application passwords, it is better to use a hash, and be independent of
> MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
> am not a cryptographer), so I store my password as:
> $passwordToBeStored =3D sha1($password);
> and check the password as:
> If(sha1($password) == $storedPassword) {
> ...
> }
> HTH... Dusty

Just a note, I would never compare passwords like that, you should put
sha1($password) in your SQL string as a condition and check to see if
any rows where returned.

-Mike

--
________________________________
Michael E. Crute
http://mike.crute.org

It is a mistake to think you can solve any major problems just with potatoe=
s.
--Douglas Adams

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

On Friday 10 March 2006 7:09 am, Michael Crute wrote:
> On 3/10/06, Dusty Bin wrote:
> > One thing to remember, is that the password function is MySQL's way of
> > storing passwords for MySQL use, and that may change from one release of
> > MySQL to another. This happened very recently. If you want to store
> > application passwords, it is better to use a hash, and be independent of
> > MySQL changes. I use sha1 as I believe it *may* be stronger than MD5(I
> > am not a cryptographer), so I store my password as:
> > $passwordToBeStored = sha1($password);
> > and check the password as:
> > If(sha1($password) == $storedPassword) {
> > ...
> > }
> > HTH... Dusty
>
> Just a note, I would never compare passwords like that, you should put
> sha1($password) in your SQL string as a condition and check to see if
> any rows where returned.
>
> -Mike

It doesn't matter if you have an SSL link to the database. :)

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

On 3/10/06, Micah Stevens wrote:
> On Friday 10 March 2006 7:09 am, Michael Crute wrote:
> > On 3/10/06, Dusty Bin wrote:
> > > One thing to remember, is that the password function is MySQL's way o=
f
> > > storing passwords for MySQL use, and that may change from one release=
of
> > > MySQL to another. This happened very recently. If you want to store
> > > application passwords, it is better to use a hash, and be independent=
of
> > > MySQL changes. I use sha1 as I believe it *may* be stronger than MD5=
(I
> > > am not a cryptographer), so I store my password as:
> > > $passwordToBeStored =3D sha1($password);
> > > and check the password as:
> > > If(sha1($password) == $storedPassword) {
> > > ...
> > > }
> > > HTH... Dusty
> >
> > Just a note, I would never compare passwords like that, you should put
> > sha1($password) in your SQL string as a condition and check to see if
> > any rows where returned.
> >
> > -Mike
>
> It doesn't matter if you have an SSL link to the database. :)

Indeed, but why bother with transfering and loading a resultset if you
have no need for it?

-Mike

--
________________________________
Michael E. Crute
http://mike.crute.org

It is a mistake to think you can solve any major problems just with potatoe=
s.
--Douglas Adams

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Passwords

--0-442160787-1142223705=:99947
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit





>>Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a >>PHP list since it has nothing to do with PHP. > b) every language has a crypt function >Then I guess it's okay to have crypt questions/answers on "every >language" >list.





>Then I guess it's okay to have crypt questions/answers on "every >language" >list.



Only if your "crypt" question relates to this board, PHP and DB. So no not any "crypt" question can be answered here. And being a smart "ass" won't buy you any favours either, or respect or anything.

J

--0-442160787-1142223705=:99947--