From: Ed Wang
Date: August 24 2000 8:37pm
Subject: Re: Security alert: phpmyadmin
List-Archive: http://lists.mysql.com/mysql/48838
Message-Id: <39A5877E.467B43A6@homepagecorp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Michael Widenius wrote:
> 
> The encrypted password is the real password in MySQL;  The password is
> only encrypted to not let one guess your real password;

Does this mean that when connecting to MySQL using perl (or even the
MySQL client) over a network, the following occurs?

  DBD::mysql first encrypts the password.
  It then sends the encrypted password to the MySQL server.
  The MySQL server compares it to the stored encrypted password.
  If they match, let the user in.

If so, couldn't someone sniff the packets and get the encrypted password
anyway?
	- Ed Wang

-- 
Software Engineer
ed@stripped
HomePage.com