mysql_connect and encrypted password

Hello,

Is it possible to give to mysql_connect an encrypted (md5 or sha1)
password?
If not is there a workaround?

I store passwords for users in database and don't want to use plain
text passwords.
Then I use that information to connect to the database. So every user
have his own database.
They are usually not in the same host even. So it would be nice to be
able to give to mysql_connect
and encrypted password instead of the plain one.

Thanks, any help appreciated.

Shmuel

Re: mysql_connect and encrypted password

..oO(Shmuel)

>Is it possible to give to mysql_connect an encrypted (md5 or sha1)
>password?
>If not is there a workaround?
>
>I store passwords for users in database and don't want to use plain
>text passwords.

The passwords in the MySQL user database are already encrypted. Have a
look at the PASSWORD() function.

Micha

Re: mysql_connect and encrypted password

Thanks for your answer.

What I mean, though, is that I need to connect to the database
with an password that is encrypted, like this:
mysql_connect('host', 'user',
'5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');

I store that password in database, and want to have it encrypted.
I am not talking about passwords that are in the mysql table,
but instead a table of my own that has the user information.

So if somebody gets into my db server, he wont see the passwords as
they are,
but instead encrypted.



On Oct 8, 5:49 pm, Michael Fesser wrote:
> .oO(Shmuel)
>
> >Is it possible to give to mysql_connect an encrypted (md5 or sha1)
> >password?
> >If not is there a workaround?
>
> >I store passwords for users in database and don't want to use plain
> >text passwords.
>
> The passwords in the MySQL user database are already encrypted. Have a
> look at the PASSWORD() function.
>
> Micha

Re: mysql_connect and encrypted password

..oO(Shmuel)

>What I mean, though, is that I need to connect to the database
>with an password that is encrypted, like this:
>mysql_connect('host', 'user',
>'5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');

The password is passed as plain text to mysql_connect(), because MySQL
itself encrypts it in order to compare it with the stored password hash.

>I store that password in database, and want to have it encrypted.
>I am not talking about passwords that are in the mysql table,
>but instead a table of my own that has the user information.

Confusing ... If you want to connect with mysql_connect() to the server,
you have to follow MySQL's authentication rules and store encrypted
passwords in its user table. You can't use your own table for that.

Micha

Re: mysql_connect and encrypted password

> The password is passed as plain text to mysql_connect(), because MySQL
> itself encrypts it in order to compare it with the stored password hash.

Yes I know it works like this, but the thing is that I store user
information
in the database like: host, user, pass, etc. and then from a
controller
script I retrieve information from the correct database, according to
the
details of a certain user. So I don't want them be shown as plain
text.
So I'm not talking about mysql users, just "users". They happen to be
users that can also connect to the database... also to ftp...


> Confusing ... If you want to connect with mysql_connect() to the server,
> you have to follow MySQL's authentication rules and store encrypted
> passwords in its user table. You can't use your own table for that.


What I would like to is to give mysql_connect() say, give a parameter
to
tell whether the password I pass to it is encrypted or not.

Shmuel

Re: mysql_connect and encrypted password

Shmuel wrote:
>> The password is passed as plain text to mysql_connect(), because MySQL
>> itself encrypts it in order to compare it with the stored password hash.
>
> Yes I know it works like this, but the thing is that I store user
> information
> in the database like: host, user, pass, etc. and then from a
> controller
> script I retrieve information from the correct database, according to
> the
> details of a certain user. So I don't want them be shown as plain
> text.
> So I'm not talking about mysql users, just "users". They happen to be
> users that can also connect to the database... also to ftp...
>
>
>> Confusing ... If you want to connect with mysql_connect() to the server,
>> you have to follow MySQL's authentication rules and store encrypted
>> passwords in its user table. You can't use your own table for that.
>
>
> What I would like to is to give mysql_connect() say, give a parameter
> to
> tell whether the password I pass to it is encrypted or not.
>
> Shmuel
>

The mysql_connect() call gets the password your website uses on the
database. That should NOT be the same as your user's passwords.
Rather, it should be something you keep secret from anyone else.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: mysql_connect and encrypted password

> The mysql_connect() call gets the password your website uses on the
> database. That should NOT be the same as your user's passwords.
> Rather, it should be something you keep secret from anyone else.

Yes, but I connect to the user's database (over the net) dynamically,
getting the values from my database. I'm working on a CMS that
is used to modify data in databases that are not on the same server,
they are wherever the user have them. And also I don't have access
to the mysql database on my hosting provider, so I couldn't store
there the user details there.

Re: mysql_connect and encrypted password

Shmuel wrote:
>> The mysql_connect() call gets the password your website uses on the
>> database. That should NOT be the same as your user's passwords.
>> Rather, it should be something you keep secret from anyone else.
>
> Yes, but I connect to the user's database (over the net) dynamically,
> getting the values from my database. I'm working on a CMS that
> is used to modify data in databases that are not on the same server,
> they are wherever the user have them. And also I don't have access
> to the mysql database on my hosting provider, so I couldn't store
> there the user details there.
>
>
>
>

First of all, most hosts disallow connections from over the internet,
for security reasons. I know all of my sites are like that. You can
connect from the server Apache is running on, but that's all. So right
there you're going to have a problem.

And you wouldn't store them in the mysql tables, anyway. That would be
the userid and passwords for your MySQL. You store them in your own tables.

And finally, you need to be asking these questions in
comp.databases.mysql. None of this has anything to do with PHP.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: mysql_connect and encrypted password

On 8 Oct, 19:49, Shmuel wrote:
> Thanks for your answer.
>
> What I mean, though, is that I need to connect to the database
> with an password that is encrypted, like this:
> mysql_connect('host', 'user',
> '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8');
>
> I store that password in database, and want to have it encrypted.
> I am not talking about passwords that are in the mysql table,
> but instead a table of my own that has the user information.
>
> So if somebody gets into my db server, he wont see the passwords as
> they are,
> but instead encrypted.
>
> On Oct 8, 5:49 pm, Michael Fesser wrote:
>
> > .oO(Shmuel)
>
> > >Is it possible to give to mysql_connect an encrypted (md5 or sha1)
> > >password?
> > >If not is there a workaround?
>
> > >I store passwords for users in database and don't want to use plain
> > >text passwords.
>
> > The passwords in the MySQL user database are already encrypted. Have a
> > look at the PASSWORD() function.
>
> > Micha

You're not making it any more secure by doing that - you've just
changed one password for another.

If you don't want to store the unencrypted password on the filesystem
then you need to encrypt (reversibly) it with something not available
elsewhere - e.g. a users password supplied in a request. (putting the
key in the Apache startup env won't help either). But you're making
your system very complex by doing this.

Find a different way to solve the problem. If it is a problem.

C.