List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:January 17 2000 2:01am
Subject:Re: Using an Encrypted Password Value Returned from a Web Query
View as plain text  
At 4:42 PM +0200 2000-01-16, <sinisa@stripped> wrote:
>Van writes:
>  > Greets all:
>  >
>  > I've got the following query issued via PHP3 to the MySQL server (3.23.27)
>  > via a generic user with select perms on the MySQL dbase.  The purpose of
>  > this user is to read the MySQL table to determine if a user and host
>  > exists with appropriate permissions, and, if it equals the previously
>  > authenticated user, retrieve the password into a variable to execute an
>  > insert on another table if the permissions allow them to do so.
>  >
>  > $rs = mysql_db_query("mysql",
>  >	"SELECT * FROM user
>  >	WHERE user='$REMOTE_USER' AND host='localhost'");
>  >
>  > Does the generic user select;
>  >
>  > while($row = mysql_fetch_array($rs)) {
>  >	$upasswd=$row[2];
>  > }
>  >
>  >
>  > $link = mysql_connect($dbhost, $REMOTE_USER, $upasswd);
>  >
>  > ^
>  > |
>  > The above fails, because the $upasswd variable contains a cleartext
>  > password retrieved from the preceding select. 
>  >
>  > The Question:
>  >
>  > What's the best way to unencrypt (if this approach is necessary), or
>  > otherwise pass this connection through such that the password retrieved in
>  > the preceding select matches the encrypted mysql password for this user.
>  >
>  > Thanks if anyone can help me get unlost.
>  >
>  > Regards,
>  > Van
>
>HI!
>
>MySQL password is decrypted in a manner very similar to how crypt()
>password is decrypted. You provide the exact unencrypted password and
>if the output of the function matches input 100 %, you have got it !!
>
>So, the only way for you to accomplish what you need is not to do
>select over user table, but to run `show grants for user@host' command
>available since 3.23.4 MySQL version !!


I don't understand this.
SHOW GRANTS returns the encrypted string, that doesn't give you back the
password of the user.  (Good thing, that would be a big security hole.)

In reply to the original question, PASSWORD() encryption is one way.
It's not *supposed* to be decryptable.  You have to know the original
password.  Then that password is *encrypted* and the result compared
to what's in the user table.  If they match, the password was correct.
There is no decryption involved (that I know of).

-- 
Paul DuBois, paul@stripped
Thread
Using an Encrypted Password Value Returned from a Web QueryVan16 Jan
  • Re: Using an Encrypted Password Value Returned from a Web Querysinisa16 Jan
    • Re: Using an Encrypted Password Value Returned from a Web QueryPaul DuBois17 Jan
  • Re: Using an Encrypted Password Value Returned from a Web QueryVan17 Jan
  • Re: Using an Encrypted Password Value Returned from a Web QueryFaisal Nasim17 Jan
  • Re: Using an Encrypted Password Value Returned from a Web Querysven17 Jan
  • Re: Using an Encrypted Password Value Returned from a Web QuerySasha Pachev17 Jan
  • Can't and Shouldn't be Done (Was: Using an Encrypted Password Value Returned from a Web Query)Van18 Jan
  • Re: Using an Encrypted Password Value Returned from a Web QueryVan18 Jan