MySQL Lists are EOL. Please join:

List:General Discussion« Previous MessageNext Message »
From:Don Read Date:September 5 1999 10:47pm
Subject:RE: Longevity of the PASSWORD() Function
View as plain text  
On 05-Sep-99 Stefan Tryggvason wrote:
> Hi everyone,
> 
> I'm currently coding a large MySQL databased back web site using primarily
> PHP3.  Since the site will use a username / password account system, I need
> a way of encrypting each users password in the database to up the security
> of the site a little.  I am considering using the MySQL PASSWORD function to
> accomplish this, but, as I understand it is one way encryption.  This is not
> a problem as myself, and the other administrators of the site don't really
> need to know the passwords for anyones account.  What would cause problems
> however, is if the PASSWORD function was updated in the future, since then,
> when passwords entered by users are encrypted to check against the stored
> version, they would not be the same.
> 
> My question(s) are as follows.
> 1) If the MySQL PASSWORD function was updated, would the old PASSWORD
> function remain?
> 2) Given that the function is a one way encryption algorithm, what would
> happen to peoples existing passwords if the function were updated?
> 3) Am I on completely the wrong track here, and is there a far better way of
> implementing this sort of system.  I have Perl/CGI,C/C++,PHP3 etc access on
> my server, but i'm not sure to what degree they will tolerate recompiling
> their programs with my extensions and so on.
> 

I let php crypt handle it, it knows about DES, MD5, and BLOWFISH 
This way I can sync the passwd database to my NIS.

function checklogin($user,$passwd) {
  dbInit();
  unset($salt);
   /* find the 'salt' from the passwd for the login  */    

  $query=sprintf("select pass as salt from passwd where login='%s'
limit 1",$user);        
  $result = mysql_db_query("auth",$query);
  $row = mysql_fetch_object($result);
  if ( $row )
    $salt=$row->salt;

 if ( isset($salt)) {
   $encpwd=crypt($passwd,$salt);        /* crypt the passwd */
 
   $query= sprintf("select login from passwd where login='%s' and pass='%s'",
$user, $encpwd);
   $result = mysql_db_query("auth",$query);
   $row = mysql_fetch_object($result);
   if ($row) {
     dbLog($user, "Login");
     return(0);
   }
 }
 return(1);
}

dbInit & dbLog are your routines ...

Regards,
---
Don Read                                 dread@stripped
EDP Manager                                  dread@stripped
Calcasieu Lumber Co.                               Austin TX
-- But I'm in good company, sendmail has kicked a great many 
     butts in the past
Thread
Longevity of the PASSWORD() FunctionStefan Tryggvason6 Sep
  • Re: Longevity of the PASSWORD() FunctionJules Bean6 Sep
  • RE: Longevity of the PASSWORD() FunctionDon Read6 Sep