Passwords

Hi,

I have created a user login/registration page. As of now I am using a
MySQL database to store the info of the user. To validate the user I
also have the password stored in the same DB. I was wondering if there
is a way that I can store the password in the DB so that it is
encrypted or something. Just so it is not in plain text.

Ben

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

> I have created a user login/registration page. As of now I am
> using a MySQL database to store the info of the user. To validate
> the user I also have the password stored in the same DB. I was
> wondering if there is a way that I can store the password in the DB
> so that it is encrypted or something. Just so it is not in plain
> text.

Of course. Check out any of MySQL's encryption functions. Make sure
that you use the same function and parameters for both the
registration and the login or else the login will never work.

Larry

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Passwords

I tend to use a hash value (like MD5) to one way encrypt it...

If you combine it with a salt value (some random string that is consistent
in the app) then is reasonably secure from being hacked...ex.

$salt = '1234567890';

$pass = md5($salt.$_POST['password']);


bastien

>From: Benjamin Stambaugh
>To: "php-db@lists.php.net"
>Subject: [PHP-DB] Passwords
>Date: Wed, 08 Mar 2006 18:34:25 -0500
>
>Hi,
>
>I have created a user login/registration page. As of now I am using a
>MySQL database to store the info of the user. To validate the user I also
>have the password stored in the same DB. I was wondering if there is a way
>that I can store the password in the DB so that it is encrypted or
>something. Just so it is not in plain text.
>
>Ben
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

Benjamin Stambaugh wrote:
> Hi,
>
> I have created a user login/registration page. As of now I am using a
> MySQL database to store the info of the user. To validate the user I
> also have the password stored in the same DB. I was wondering if there
> is a way that I can store the password in the DB so that it is encrypted
> or something. Just so it is not in plain text.

Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a
PHP list since it has nothing to do with PHP.

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

Not PHP?

http://us3.php.net/crypt

Bastien


>From: "JupiterHost.Net"
>To: "php-db@lists.php.net"
>Subject: Re: [PHP-DB] Passwords
>Date: Thu, 09 Mar 2006 07:23:07 -0600
>
>
>
>Benjamin Stambaugh wrote:
>>Hi,
>>
>>I have created a user login/registration page. As of now I am using a
>>MySQL database to store the info of the user. To validate the user I also
>>have the password stored in the same DB. I was wondering if there is a
>>way that I can store the password in the DB so that it is encrypted or
>>something. Just so it is not in plain text.
>
>Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a PHP
>list since it has nothing to do with PHP.
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

Bastien Koert wrote:

> Not PHP?

Correct, not PHP. most DB engines have built in encryption funtions for
use in their INSERT (IE "store the password in the DB so that it is
encrypted") and SELECT (for verifying it with the same funtion you used
in INSERT)

> http://us3.php.net/crypt


yes "Not PHP":

a) crypt() has nothing to do with a query
b) every language has a crypt function

The question has more to do with a general idea of how to accomplish a
task, the most suitable answer to is to be had in their DB
documentation, since data should be independant of the language handling
it (whether it a real language like C or Perl or a wanna be duct taped
hack like PHP - no need for flames, I won't listen or care ;p)

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

Merely commenting that its not only DBs that can do the encrypting.

Bastien


>From: "JupiterHost.Net"
>To: php-db@lists.php.net
>Subject: Re: [PHP-DB] Passwords
>Date: Thu, 09 Mar 2006 19:07:11 -0600
>
>
>
>Bastien Koert wrote:
>
>>Not PHP?
>
>Correct, not PHP. most DB engines have built in encryption funtions for use
>in their INSERT (IE "store the password in the DB so that it is encrypted")
>and SELECT (for verifying it with the same funtion you used in INSERT)
>
>>http://us3.php.net/crypt
>
>
>yes "Not PHP":
>
> a) crypt() has nothing to do with a query
> b) every language has a crypt function
>
>The question has more to do with a general idea of how to accomplish a
>task, the most suitable answer to is to be had in their DB documentation,
>since data should be independant of the language handling it (whether it a
>real language like C or Perl or a wanna be duct taped hack like PHP - no
>need for flames, I won't listen or care ;p)
>
>--
>PHP Database Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Passwords

>>Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a
>>PHP list since it has nothing to do with PHP.

> b) every language has a crypt function

Then I guess it's okay to have crypt questions/answers on "every language"
list.

-----Original Message-----
From: JupiterHost.Net [mailto:mlists@jupiterhost.net]
Sent: Thursday, March 09, 2006 7:07 PM
To: php-db@lists.php.net
Subject: Re: [PHP-DB] Passwords



Bastien Koert wrote:

> Not PHP?

Correct, not PHP. most DB engines have built in encryption funtions for
use in their INSERT (IE "store the password in the DB so that it is
encrypted") and SELECT (for verifying it with the same funtion you used
in INSERT)

> http://us3.php.net/crypt


yes "Not PHP":

a) crypt() has nothing to do with a query
b) every language has a crypt function

The question has more to do with a general idea of how to accomplish a
task, the most suitable answer to is to be had in their DB
documentation, since data should be independant of the language handling
it (whether it a real language like C or Perl or a wanna be duct taped
hack like PHP - no need for flames, I won't listen or care ;p)

--

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Passwords

Dwight Altman wrote:
>>>Sure, mysql.com and seasrch for crypt. Not sure why this is asked on a
>>>PHP list since it has nothing to do with PHP.
>
>
>>b) every language has a crypt function
>
>
> Then I guess it's okay to have crypt questions/answers on "every language"
> list.

Sure whatever, its just this list is specifically about PHP and DB use
so PHP's crypt() is pretty much the lamest recommendation since most DB
sngines have lots of good encryption and you can use it in your queries.

So then they need look in theri DB's documentation for what their
type/version offer. At that point it has 100% nothing to do with PHP :)

If they just want to crypt() some string for an /etc/passwd type system
then they need to post to a PHP basics list not a DB specific one.

Not really a big deal but why have specofoc lists if they arn't kept
specific :)

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php