Encrypting DB content

------=_NextPart_000_0001_01C60D96.EB013C20
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi there everyone,



I am about to launch the website for my complex where the homeowners can
login and check their billing status etc .. what is the best way, with PHP
and MySQL, to store an ENCRYPTED password into the database so that if
someone got into the DB they couldn't read the password but if they enter it
into the form on the site it still works?



I'm not sure on the best way to do this and any help would be really
appreciated.



Happy New Year everyone.



Chris


------=_NextPart_000_0001_01C60D96.EB013C20--

Re: Encrypting DB content

You can store an MD5, or SHA hash of the password, and then compare.. This is
not an encrypted version of the password, rather a calculated hash of it. You
can't (well, not without a bit of effort) decrypt this back into the
password.

The idea is when you store the password, you create the hash. Store the hash
in the database. When the user logs in, take their password entry, generate a
hash in the same way, and compare the two values.

SHA2 is the most secure method to use of these two, I'd use that.

The advantage is, the hash could be freely accessable to anyone, and it
doesn't cause a security issue, where as all a hacker needs is the key to an
encrypted database of passwords to reveal them all.

That's the route I take anyhow.. This will likely start a huge conversation
about how to secure your system up super tight, but remember the most secure
server is one that isn't turned on. :) A realistic solution is somewhere
in-between this and no security at all.

-Micah


On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> Hi there everyone,
>
>
>
> I am about to launch the website for my complex where the homeowners can
> login and check their billing status etc .. what is the best way, with PHP
> and MySQL, to store an ENCRYPTED password into the database so that if
> someone got into the DB they couldn't read the password but if they enter
> it into the form on the site it still works?
>
>
>
> I'm not sure on the best way to do this and any help would be really
> appreciated.
>
>
>
> Happy New Year everyone.
>
>
>
> Chris

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Encrypting DB content THANK YOU and nlist help

Hi there,

Thank you for your help I really appreciate it :-)

I have one last question and you may (Or may not) be able to answer :-) Do
you know how to sort the FTP nlist command? I have it listing the FTP
directory once a video is uploaded and using nlist I can view the ENTIRE
listing, but I just need to be able to grab the latest filename from the
directory so that it can be added to a database.

Any help on that would be fantastic, I've read the PHP manual which is how I
managed to grab the entire directory listing on the server, but I just need
the last modified date to display (The last file uploaded).

Chris


You can store an MD5, or SHA hash of the password, and then compare.. This
is
not an encrypted version of the password, rather a calculated hash of it.
You
can't (well, not without a bit of effort) decrypt this back into the
password.

The idea is when you store the password, you create the hash. Store the hash

in the database. When the user logs in, take their password entry, generate
a
hash in the same way, and compare the two values.

SHA2 is the most secure method to use of these two, I'd use that.

The advantage is, the hash could be freely accessable to anyone, and it
doesn't cause a security issue, where as all a hacker needs is the key to an

encrypted database of passwords to reveal them all.

That's the route I take anyhow.. This will likely start a huge conversation
about how to secure your system up super tight, but remember the most secure

server is one that isn't turned on. :) A realistic solution is somewhere
in-between this and no security at all.

-Micah


On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> Hi there everyone,
>
>
>
> I am about to launch the website for my complex where the homeowners can
> login and check their billing status etc .. what is the best way, with PHP
> and MySQL, to store an ENCRYPTED password into the database so that if
> someone got into the DB they couldn't read the password but if they enter
> it into the form on the site it still works?
>
>
>
> I'm not sure on the best way to do this and any help would be really
> appreciated.
>
>
>
> Happy New Year everyone.
>
>
>
> Chris

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Encrypting DB content THANK YOU and nlist help

No problem. Try adding the -t switch to nlist to sort by file time. If you
require the opposite order, add -r (for reverse)..

nlist -t (order newest first)
nlist -tr (order oldest first)

HTH,
-Micah

On Friday 30 December 2005 10:32 pm, Chris Payne wrote:
> Hi there,
>
> Thank you for your help I really appreciate it :-)
>
> I have one last question and you may (Or may not) be able to answer :-) Do
> you know how to sort the FTP nlist command? I have it listing the FTP
> directory once a video is uploaded and using nlist I can view the ENTIRE
> listing, but I just need to be able to grab the latest filename from the
> directory so that it can be added to a database.
>
> Any help on that would be fantastic, I've read the PHP manual which is how
> I managed to grab the entire directory listing on the server, but I just
> need the last modified date to display (The last file uploaded).
>
> Chris
>
>
> You can store an MD5, or SHA hash of the password, and then compare.. This
> is
> not an encrypted version of the password, rather a calculated hash of it.
> You
> can't (well, not without a bit of effort) decrypt this back into the
> password.
>
> The idea is when you store the password, you create the hash. Store the
> hash
>
> in the database. When the user logs in, take their password entry, generate
> a
> hash in the same way, and compare the two values.
>
> SHA2 is the most secure method to use of these two, I'd use that.
>
> The advantage is, the hash could be freely accessable to anyone, and it
> doesn't cause a security issue, where as all a hacker needs is the key to
> an
>
> encrypted database of passwords to reveal them all.
>
> That's the route I take anyhow.. This will likely start a huge conversation
> about how to secure your system up super tight, but remember the most
> secure
>
> server is one that isn't turned on. :) A realistic solution is somewhere
> in-between this and no security at all.
>
> -Micah
>
> On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> > Hi there everyone,
> >
> >
> >
> > I am about to launch the website for my complex where the homeowners can
> > login and check their billing status etc .. what is the best way, with
> > PHP and MySQL, to store an ENCRYPTED password into the database so that
> > if someone got into the DB they couldn't read the password but if they
> > enter it into the form on the site it still works?
> >
> >
> >
> > I'm not sure on the best way to do this and any help would be really
> > appreciated.
> >
> >
> >
> > Happy New Year everyone.
> >
> >
> >
> > Chris
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Encrypting DB content

On 31 Dec 2005, at 04:15, "Chris Payne" wrote:

> I am about to launch the website for my complex where the
> homeowners can
> login and check their billing status etc .. what is the best way,
> with PHP
> and MySQL, to store an ENCRYPTED password into the database so that if
> someone got into the DB they couldn't read the password but if they
> enter it
> into the form on the site it still works?

The trick is not to store a plain password in the db, but an
encrypted one. When
you store the password in the user record use something like

mysql> insert into users (username, password) values ('dd',
old_password('1234'));

That gets you...

mysql> select * from users
+----------+----------------------+
| username | password |
+----------+----------------------+
| dd | 446a12100c856ce9 |
+----------+----------------------+
1 row in set (0.24 sec)


Then to check if a user is valid, you just have to do a search to
check validity:

mysql> select * from users where username = 'dd' and password =
old_password('1234');

This does require you to have a password replacement page - which
means emailing them a new one (as you can't recover the old one from
the db).

Hope that's some help,

R

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Encrypting DB content

As an addition to this, I would suggest that you 'SALT' the value before
hashing it. There are already tables out there that contain a reverse
look-ups of comman hash values (like names, states, dictionary words). A
SALT is a random set of characters (use the same one for each value to be
MD5'd or you'll never be able to match it back) that alters the hash value
of the base password the users provide. You can prepend and append the hash
values to the value to be MD5'd to make it more secure.

Bastien


>From: Micah Stevens
>To: php-db@lists.php.net
>Subject: Re: [PHP-DB] Encrypting DB content
>Date: Fri, 30 Dec 2005 22:12:38 -0800
>
>
>You can store an MD5, or SHA hash of the password, and then compare.. This
>is
>not an encrypted version of the password, rather a calculated hash of it.
>You
>can't (well, not without a bit of effort) decrypt this back into the
>password.
>
>The idea is when you store the password, you create the hash. Store the
>hash
>in the database. When the user logs in, take their password entry, generate
>a
>hash in the same way, and compare the two values.
>
>SHA2 is the most secure method to use of these two, I'd use that.
>
>The advantage is, the hash could be freely accessable to anyone, and it
>doesn't cause a security issue, where as all a hacker needs is the key to
>an
>encrypted database of passwords to reveal them all.
>
>That's the route I take anyhow.. This will likely start a huge conversation
>about how to secure your system up super tight, but remember the most
>secure
>server is one that isn't turned on. :) A realistic solution is somewhere
>in-between this and no security at all.
>
>-Micah
>
>
>On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> > Hi there everyone,
> >
> >
> >
> > I am about to launch the website for my complex where the homeowners can
> > login and check their billing status etc .. what is the best way, with
>PHP
> > and MySQL, to store an ENCRYPTED password into the database so that if
> > someone got into the DB they couldn't read the password but if they
>enter
> > it into the form on the site it still works?
> >
> >
> >
> > I'm not sure on the best way to do this and any help would be really
> > appreciated.
> >
> >
> >
> > Happy New Year everyone.
> >
> >
> >
> > Chris
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Encrypting DB content

Yes, Great suggestion. This is the way the UNIX passwd function works, and
you'll notice no one has hacked that recently as opposed to the windows
password function.

hehe..

-Micah


On Saturday 31 December 2005 8:39 am, Bastien Koert wrote:
> As an addition to this, I would suggest that you 'SALT' the value before
> hashing it. There are already tables out there that contain a reverse
> look-ups of comman hash values (like names, states, dictionary words). A
> SALT is a random set of characters (use the same one for each value to be
> MD5'd or you'll never be able to match it back) that alters the hash value
> of the base password the users provide. You can prepend and append the hash
> values to the value to be MD5'd to make it more secure.
>
> Bastien
>
> >From: Micah Stevens
> >To: php-db@lists.php.net
> >Subject: Re: [PHP-DB] Encrypting DB content
> >Date: Fri, 30 Dec 2005 22:12:38 -0800
> >
> >
> >You can store an MD5, or SHA hash of the password, and then compare.. This
> >is
> >not an encrypted version of the password, rather a calculated hash of it.
> >You
> >can't (well, not without a bit of effort) decrypt this back into the
> >password.
> >
> >The idea is when you store the password, you create the hash. Store the
> >hash
> >in the database. When the user logs in, take their password entry,
> > generate a
> >hash in the same way, and compare the two values.
> >
> >SHA2 is the most secure method to use of these two, I'd use that.
> >
> >The advantage is, the hash could be freely accessable to anyone, and it
> >doesn't cause a security issue, where as all a hacker needs is the key to
> >an
> >encrypted database of passwords to reveal them all.
> >
> >That's the route I take anyhow.. This will likely start a huge
> > conversation about how to secure your system up super tight, but remember
> > the most secure
> >server is one that isn't turned on. :) A realistic solution is somewhere
> >in-between this and no security at all.
> >
> >-Micah
> >
> >On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> > > Hi there everyone,
> > >
> > >
> > >
> > > I am about to launch the website for my complex where the homeowners
> > > can login and check their billing status etc .. what is the best way,
> > > with
> >
> >PHP
> >
> > > and MySQL, to store an ENCRYPTED password into the database so that if
> > > someone got into the DB they couldn't read the password but if they
> >
> >enter
> >
> > > it into the form on the site it still works?
> > >
> > >
> > >
> > > I'm not sure on the best way to do this and any help would be really
> > > appreciated.
> > >
> > >
> > >
> > > Happy New Year everyone.
> > >
> > >
> > >
> > > Chris
> >
> >--
> >PHP Database Mailing List (http://www.php.net/)
> >To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Encrypting DB content

------_=_NextPart_001_01C60F6D.0D21DBD4
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

This is bit off the topic...but is there a way to encrypt with a key and
decrypt it back to the same value I want to store. My requirement is
something like I want to store salaries of the executives of the
organization in a table, but not even the DBA should be able to see that
except the person who saved it.

Is this possible, through a DB level or using application level
components.=20

Kosala

> -----Original Message-----
> From: Micah Stevens [mailto:micah@raincross-tech.com]=20
> Sent: Saturday, December 31, 2005 12:13
> To: php-db@lists.php.net
> Subject: Re: [PHP-DB] Encrypting DB content
>=20
>=20
> You can store an MD5, or SHA hash of the password, and then=20
> compare.. This is not an encrypted version of the password,=20
> rather a calculated hash of it. You can't (well, not without=20
> a bit of effort) decrypt this back into the password.
>=20
> The idea is when you store the password, you create the hash.=20
> Store the hash in the database. When the user logs in, take=20
> their password entry, generate a hash in the same way, and=20
> compare the two values.=20
>=20
> SHA2 is the most secure method to use of these two, I'd use that.=20
>=20
> The advantage is, the hash could be freely accessable to=20
> anyone, and it doesn't cause a security issue, where as all a=20
> hacker needs is the key to an encrypted database of passwords=20
> to reveal them all.=20
>=20
> That's the route I take anyhow.. This will likely start a=20
> huge conversation about how to secure your system up super=20
> tight, but remember the most secure server is one that isn't=20
> turned on. :) A realistic solution is somewhere in-between=20
> this and no security at all.=20
>=20
> -Micah=20
>=20
>=20
> On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> > Hi there everyone,
> >
> >
> >
> > I am about to launch the website for my complex where the=20
> homeowners=20
> > can login and check their billing status etc .. what is the=20
> best way,=20
> > with PHP and MySQL, to store an ENCRYPTED password into the=20
> database=20
> > so that if someone got into the DB they couldn't read the=20
> password but=20
> > if they enter it into the form on the site it still works?
> >
> >
> >
> > I'm not sure on the best way to do this and any help would=20
> be really=20
> > appreciated.
> >
> >
> >
> > Happy New Year everyone.
> >
> >
> >
> > Chris
>=20
> --
> PHP Database Mailing List (http://www.php.net/) To=20
> unsubscribe, visit: http://www.php.net/unsub.php
>=20
>=20


------_=_NextPart_001_01C60F6D.0D21DBD4
Content-Type: text/plain; charset=us-ascii

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
------_=_NextPart_001_01C60F6D.0D21DBD4--

Re: Encrypting DB content

Easily...


As some people have already pointed out, one of the interesting aspects of 2
way or reversible encryption systems is they provide some form of a key,
that is a unique or variable input which is combined into the encryption
process to create a truly unique encypted string.


For example in your situation I would use perhaps a password field.

You could even store this password as a hash in your db for login purposes
and still use the password as the 'salt' for your encryption

For example a user may have stored in a DB table their username and a MD5
hash of their password, which you use when they login in order to compare
the MD5 of the password they entered in the login form to the one stored
already in DB.

You can do the same process for their wages.

When they choose to access their wages they can be prompted for their
password and during generation of their wages/salary page you can use their
'plaintext' password as the 'salt' for your encryption function


I'd personally use the mcrypt extension of php:
http://www.php.net/manual/en/ref.mcrypt.php



Tata and good luck!

---oOo--- Allowing users to execute CGI scripts in any directory should only
be considered if: ... a.. You have no users, and nobody ever visits your
server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@the-spectrum.org
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Kosala Atapattu"
To: "Micah Stevens" ;
Sent: Monday, January 02, 2006 5:20 PM
Subject: RE: [PHP-DB] Encrypting DB content


This is bit off the topic...but is there a way to encrypt with a key and
decrypt it back to the same value I want to store. My requirement is
something like I want to store salaries of the executives of the
organization in a table, but not even the DBA should be able to see that
except the person who saved it.

Is this possible, through a DB level or using application level
components.

Kosala

> -----Original Message-----
> From: Micah Stevens [mailto:micah@raincross-tech.com]
> Sent: Saturday, December 31, 2005 12:13
> To: php-db@lists.php.net
> Subject: Re: [PHP-DB] Encrypting DB content
>
>
> You can store an MD5, or SHA hash of the password, and then
> compare.. This is not an encrypted version of the password,
> rather a calculated hash of it. You can't (well, not without
> a bit of effort) decrypt this back into the password.
>
> The idea is when you store the password, you create the hash.
> Store the hash in the database. When the user logs in, take
> their password entry, generate a hash in the same way, and
> compare the two values.
>
> SHA2 is the most secure method to use of these two, I'd use that.
>
> The advantage is, the hash could be freely accessable to
> anyone, and it doesn't cause a security issue, where as all a
> hacker needs is the key to an encrypted database of passwords
> to reveal them all.
>
> That's the route I take anyhow.. This will likely start a
> huge conversation about how to secure your system up super
> tight, but remember the most secure server is one that isn't
> turned on. :) A realistic solution is somewhere in-between
> this and no security at all.
>
> -Micah
>
>
> On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> > Hi there everyone,
> >
> >
> >
> > I am about to launch the website for my complex where the
> homeowners
> > can login and check their billing status etc .. what is the
> best way,
> > with PHP and MySQL, to store an ENCRYPTED password into the
> database
> > so that if someone got into the DB they couldn't read the
> password but
> > if they enter it into the form on the site it still works?
> >
> >
> >
> > I'm not sure on the best way to do this and any help would
> be really
> > appreciated.
> >
> >
> >
> > Happy New Year everyone.
> >
> >
> >
> > Chris
>
> --
> PHP Database Mailing List (http://www.php.net/) To
> unsubscribe, visit: http://www.php.net/unsub.php
>
>




------------------------------------------------------------ --------------------


> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Encrypting DB content

yes, have a look at mcrypt(www.php.net/mcrypt) and
decrypt(www.php.net/decrypt)

Bastien

>From: "Kosala Atapattu"
>To: "Micah Stevens" ,
>Subject: RE: [PHP-DB] Encrypting DB content
>Date: Mon, 2 Jan 2006 13:20:47 +0600
>
>This is bit off the topic...but is there a way to encrypt with a key and
>decrypt it back to the same value I want to store. My requirement is
>something like I want to store salaries of the executives of the
>organization in a table, but not even the DBA should be able to see that
>except the person who saved it.
>
>Is this possible, through a DB level or using application level
>components.
>
>Kosala
>
> > -----Original Message-----
> > From: Micah Stevens [mailto:micah@raincross-tech.com]
> > Sent: Saturday, December 31, 2005 12:13
> > To: php-db@lists.php.net
> > Subject: Re: [PHP-DB] Encrypting DB content
> >
> >
> > You can store an MD5, or SHA hash of the password, and then
> > compare.. This is not an encrypted version of the password,
> > rather a calculated hash of it. You can't (well, not without
> > a bit of effort) decrypt this back into the password.
> >
> > The idea is when you store the password, you create the hash.
> > Store the hash in the database. When the user logs in, take
> > their password entry, generate a hash in the same way, and
> > compare the two values.
> >
> > SHA2 is the most secure method to use of these two, I'd use that.
> >
> > The advantage is, the hash could be freely accessable to
> > anyone, and it doesn't cause a security issue, where as all a
> > hacker needs is the key to an encrypted database of passwords
> > to reveal them all.
> >
> > That's the route I take anyhow.. This will likely start a
> > huge conversation about how to secure your system up super
> > tight, but remember the most secure server is one that isn't
> > turned on. :) A realistic solution is somewhere in-between
> > this and no security at all.
> >
> > -Micah
> >
> >
> > On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> > > Hi there everyone,
> > >
> > >
> > >
> > > I am about to launch the website for my complex where the
> > homeowners
> > > can login and check their billing status etc .. what is the
> > best way,
> > > with PHP and MySQL, to store an ENCRYPTED password into the
> > database
> > > so that if someone got into the DB they couldn't read the
> > password but
> > > if they enter it into the form on the site it still works?
> > >
> > >
> > >
> > > I'm not sure on the best way to do this and any help would
> > be really
> > > appreciated.
> > >
> > >
> > >
> > > Happy New Year everyone.
> > >
> > >
> > >
> > > Chris
> >
> > --
> > PHP Database Mailing List (http://www.php.net/) To
> > unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>


>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php