At 4:42 PM +0200 2000-01-16, <sinisa@stripped> wrote:
>Van writes:
> > Greets all:
> >
> > I've got the following query issued via PHP3 to the MySQL server (3.23.27)
> > via a generic user with select perms on the MySQL dbase. The purpose of
> > this user is to read the MySQL table to determine if a user and host
> > exists with appropriate permissions, and, if it equals the previously
> > authenticated user, retrieve the password into a variable to execute an
> > insert on another table if the permissions allow them to do so.
> >
> > $rs = mysql_db_query("mysql",
> > "SELECT * FROM user
> > WHERE user='$REMOTE_USER' AND host='localhost'");
> >
> > Does the generic user select;
> >
> > while($row = mysql_fetch_array($rs)) {
> > $upasswd=$row[2];
> > }
> >
> >
> > $link = mysql_connect($dbhost, $REMOTE_USER, $upasswd);
> >
> > ^
> > |
> > The above fails, because the $upasswd variable contains a cleartext
> > password retrieved from the preceding select.
> >
> > The Question:
> >
> > What's the best way to unencrypt (if this approach is necessary), or
> > otherwise pass this connection through such that the password retrieved in
> > the preceding select matches the encrypted mysql password for this user.
> >
> > Thanks if anyone can help me get unlost.
> >
> > Regards,
> > Van
>
>HI!
>
>MySQL password is decrypted in a manner very similar to how crypt()
>password is decrypted. You provide the exact unencrypted password and
>if the output of the function matches input 100 %, you have got it !!
>
>So, the only way for you to accomplish what you need is not to do
>select over user table, but to run `show grants for user@host' command
>available since 3.23.4 MySQL version !!
I don't understand this.
SHOW GRANTS returns the encrypted string, that doesn't give you back the
password of the user. (Good thing, that would be a big security hole.)
In reply to the original question, PASSWORD() encryption is one way.
It's not *supposed* to be decryptable. You have to know the original
password. Then that password is *encrypted* and the result compared
to what's in the user table. If they match, the password was correct.
There is no decryption involved (that I know of).
--
Paul DuBois, paul@stripped
