Re: MySQL obnoxious question

Re: MySQL obnoxious question

am 19.02.2008 18:44:36 von Jose Celestino

Words by M=E1rio Gamito [Wed, Feb 20, 2008 at 12:35:26AM +0000]:
> Hi,
>
> Sorry for the little off-topic, but the vpoopmail list is kind of dea=
d.
>

So is the diablo mailing list and I don't see any diablo nntp related
questions here.

> I'm running a qmail server with vpopmail with MySQL authentication.
>
> For obnoxious reasons, I'm running a web site in Windows/ASP.NET/C# t=
hat=20
> once a user registers, it inserts in the MySQL qmail server the usern=
ame,=20
> password, etc.
>
> It's in the password that the problem lies.
> I need to hash it just before or after the MySQL INSERT statement.
> For that, I have to run a PHP shell script that follows my signature.
>
> Problem is MySQL doesn't run external commands.
>

All that does is generate a random md5 salt and do an md5 crypt of the
password. Why would you want to run that on an external command? I
guess you can easily do it on c#.

>
> >
> function randltr() {
> $retval =3D 'a';
> $rand =3D rand() % 64;
> if ($rand < 26) $retval =3D $rand + 'a';
> if ($rand > 25) $retval =3D $rand - 26 + 'A';
> if ($rand > 51) $retval =3D $rand - 52 + '0';
> if ($rand == 62) $retval =3D ';';
> if ($rand == 63) $retval =3D '.';
> return($retval);
> }
>
> function mkpasswd3(&$clearpass, &$crypted) {
> srand ((double)microtime()*1000000);
>
> $salt =3D '$1$';
> for ($i =3D 0; $i < 5; $i++) $salt .=3D randltr();
> $salt .=3D '0';
> $crypted =3D crypt($clearpass, $salt);
> if (strlen($crypted) > 0) return(true);
> return(false);
> }
>
> $clearpass =3D 'yeshua';
> $crypted =3D '';
>
> if (mkpasswd3($clearpass, $crypted))
> printf("%s -> %s\n", $clearpass, $crypted);
> else
> echo("Ohoh");
> -

--=20
Jose Celestino
------------------------------------------------------------ ----
http://www.msversus.org/ ; http://techp.org/petition/show/1
http://www.vinc17.org/noswpat.en.html
------------------------------------------------------------ ----
"If you would have your slaves remain docile, teach them hymns."
-- Ed Weathers ("The Empty Box")
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

am 19.02.2008 21:55:21 von Jose Celestino

Respondo outra vez quando tiver recebido este e-mail. Amanha pelas
00:35.

Words by M=E1rio Gamito [Wed, Feb 20, 2008 at 12:35:26AM +0000]:
> Hi,
>
> Sorry for the little off-topic, but the vpoopmail list is kind of dea=
d.
>

--=20
Jose Celestino
------------------------------------------------------------ ----
http://www.msversus.org/ ; http://techp.org/petition/show/1
http://www.vinc17.org/noswpat.en.html
------------------------------------------------------------ ----
"If you would have your slaves remain docile, teach them hymns."
-- Ed Weathers ("The Empty Box")
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

am 19.02.2008 22:01:51 von adamb

Hi,

M=E1rio Gamito wrote:
> For obnoxious reasons, I'm running a web site in Windows/ASP.NET/C# t=
hat=20
> once a user registers, it inserts in the MySQL qmail server the=20
> username, password, etc.
>=20
> It's in the password that the problem lies.
> I need to hash it just before or after the MySQL INSERT statement.
> For that, I have to run a PHP shell script that follows my signature.

There is an encrypt function in MySQL:

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions. html#functi=
on_encrypt

but it is only available on systems which have a system crypt call (not=
=20
Windows according to the docs). However if your MySQL database is=20
running on Linux you should be able to just change the insert statement=
=20
in the C# code to something like:

insert into user_details values("username", encrypt("password"), ...);

and not bother with the php script. If the database is on Windows, the=
n=20
there are other encrytion functions available. There is a User Comment=
=20
at the bottom of the above web page (search for "Philip Mather") which=20
discusses using a trigger to achieve something that sounds similar to=20
what you want.

There are lots of other options, of course, but my first route would=20
always be to modify existing code. You might want to be careful,=20
however, that you aren't breaking any license agreement before going=20
ahead and modifying anything. If the code is unavailable or protected=20
then you can just put a trigger on the user_details table in the=20
database and encrypt the password there.

Hope some of that helps.

Cheers

Adam
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

am 19.02.2008 23:22:32 von adamb

Jose Celestino wrote:
>> Problem is MySQL doesn't run external commands.
>>
>
> All that does is generate a random md5 salt and do an md5 crypt of the
> password. Why would you want to run that on an external command? I
> guess you can easily do it on c#.

If you are going to go this route, you might want to take a look at this
port of the crypt function:

http://www.codeproject.com/KB/cs/unixcrypt.aspx

Cheers

Adam
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

MySQL obnoxious question

am 20.02.2008 00:05:03 von gamito

Hi,

Sorry for the little off-topic, but the vpoopmail list is kind of dead.

I'm running a qmail server with vpopmail with MySQL authentication.

=46or obnoxious reasons, I'm running a web site in Windows/ASP.NET/C# t=
hat=20
once a user registers, it inserts in the MySQL qmail server the=20
username, password, etc.

It's in the password that the problem lies.
I need to hash it just before or after the MySQL INSERT statement.
=46or that, I have to run a PHP shell script that follows my signature.

Problem is MySQL doesn't run external commands.

Any ideas ?

Any help would be appreciated.

Warm Regards,
M=E1rio Gamito

--=20


function randltr() {
$retval =3D 'a';
$rand =3D rand() % 64;
if ($rand < 26) $retval =3D $rand + 'a';
if ($rand > 25) $retval =3D $rand - 26 + 'A';
if ($rand > 51) $retval =3D $rand - 52 + '0';
if ($rand == 62) $retval =3D ';';
if ($rand == 63) $retval =3D '.';
return($retval);
}

function mkpasswd3(&$clearpass, &$crypted) {
srand ((double)microtime()*1000000);

$salt =3D '$1$';
for ($i =3D 0; $i < 5; $i++) $salt .=3D randltr();
$salt .=3D '0';
$crypted =3D crypt($clearpass, $salt);
if (strlen($crypted) > 0) return(true);
return(false);
}

$clearpass =3D 'yeshua';
$crypted =3D '';

if (mkpasswd3($clearpass, $crypted))
printf("%s -> %s\n", $clearpass, $crypted);
else
echo("Ohoh");
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

am 20.02.2008 03:57:02 von Atishay Kumar

On Feb 20, 2008 3:52 AM, Adam T. Bowen wrote:
>
> Jose Celestino wrote:
> >> Problem is MySQL doesn't run external commands.
> >>
> >
> > All that does is generate a random md5 salt and do an md5 crypt of the
> > password. Why would you want to run that on an external command? I
> > guess you can easily do it on c#.

This one should help, mysql allows password hashing
http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html

>
> If you are going to go this route, you might want to take a look at this
> port of the crypt function:
>
> http://www.codeproject.com/KB/cs/unixcrypt.aspx
>
> Cheers
>
> Adam
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html