From: Rolf Hopkins
Date: August 25 2000 12:34am
Subject: Re: Security alert: phpmyadmin
List-Archive: http://lists.mysql.com/mysql/48861
Message-Id: <012101c00e2c$41088080$5e00a8c0@waytech>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit



> Michael Widenius wrote:
> >
> > The encrypted password is the real password in MySQL;  The password is
> > only encrypted to not let one guess your real password;
>
> Does this mean that when connecting to MySQL using perl (or even the
> MySQL client) over a network, the following occurs?
>
>   DBD::mysql first encrypts the password.
>   It then sends the encrypted password to the MySQL server.
>   The MySQL server compares it to the stored encrypted password.
>   If they match, let the user in.
>
> If so, couldn't someone sniff the packets and get the encrypted password
> anyway?

I would have thought that the password would get sent to the mysql server
before being encrypted for comparison!!!

Cheers

Rolf