Eric
|
| Posted: 04/26/2002, 9:25 AM |
|
Can someone let me know how I tell Code Charge to encrypt passwords when writting them to the database.
I am using PHP w/ Templates and a MySQL backend.
Thanks in advance
|
|
|
 |
Richi Novello
|
| Posted: 04/26/2002, 9:52 AM |
|
md5 is a php function...
// before insert (new record) or before update (update record) event:
$fldfield_name=md5($field_name);
Enjoy
|
|
|
|
Richi Novello
|
| Posted: 04/26/2002, 10:09 AM |
|
Ops... sorry, a little mistake! I intended to write
$fldfield_name=md5($fldfield_name);
|
|
|
|
wanaka
|
| Posted: 04/26/2002, 6:12 PM |
|
May I know where to put the md5 in the CCS
|
|
|
|
George L.
|
| Posted: 04/26/2002, 6:19 PM |
|
How does the password get un-encrypted? Or is this just a way to pass the password encrypted to the database, but it still gets stored as clear? This is a security hole that I don't like. I don't want to be able to see passwords stored in plain-text in my datbase columns.
I am trying to figure out the best way on how to encrypt passwords upon user creation and store them in my Oracle Database encrypted. The hard part is un-encrypting them.
I use the crypt function to encrypt my passwords, then compare the unencrypted password entered with the encrypted one stored, but im still testing/debating whether this will be effective, since crypt is a one-way hashing algorithm.
If anyone could provide some perpective on storing/retreiving/validating encrypted passwords from a DBMS, I would be very greatful.
Maybe codecharge or some encrytion guru can write an article to post or something.
Thx.
g.
|
|
|
|
Brent
|
| Posted: 04/26/2002, 8:04 PM |
|
>>How does the password get un-encrypted? Or is this just a way to pass the password
>>encrypted to the database, but it still gets stored as clear?
MD5() is one way encryption. It uses an RSA hash function to translate a string
(or file) into a 32 digit hex number. You do not decrypt it. This ensures
no one, even if they break into your database and see the contents of the member
table, will ever get the original passwords. That is the beauty of it. The passwords
are safe.
So your SQL to check security looks something like:
SELECT memberhost_id,member_id,security_level FROM member WHERE user_name =" .
tosql($sLogin, "Text") . " AND user_pw=MD5(" . tosql($sPassword, "Text").")"
You will need to modify the generated SQL with something like the one listed above.
When you save the user name and pw in the member table, you must do an MD5()
on the user's password so you only store the 32 digit hex number. You should
probably use MySQL's MD5() function and not PHP so the database is language
independent.
And of course you must protect the transmission of the password from the user's
browser to the server by using HTTPS.
To see how MD5() works, try playing with MySQL's command line prompt with
mysql> select md5("this is a test");
+----------------------------------+
| md5("this is a test") |
+----------------------------------+
| 54b0c58c7ce9f2a8b551351102ee0938 |
+----------------------------------+
To confuse people even more (and probably yourself), you can concatenate a
string onto your password like:
mysql> select md5(concat("this is a test","secret"));
+----------------------------------------+
| md5(concat("this is a test","secret")) |
+----------------------------------------+
| 3f7b24f2cc7b151de9dd03191d9c7527 |
+----------------------------------------+
This changes the hash even more and requires the hacker to know the "secret"
additional encoding string which is buried somewhere in your code. I don't
recommend doing this (unless you're really paranoid) because you'll probably
forget the secret word and your pw table will be useless, even to you. :)
One more thing MD5() is good for. Let's say you do use Encrypt() for something
else other than passwords. You should run MD5() on the password parameter so
the password is more random.
I hope this helps.
|
|
|
|
|
