SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2001
    Location
    Modesto, CA
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    MySQL User/Password

    First, I went over all of Kevin Yank's 'Build your own Database Driven Website using PHP & MySQL' and Im still a "Newbie" at this stuff. ( but learning fast )

    I think my question should be, How to store user passwords in a MySQL database? I saw something about not storing them in a normal text format in a column.

    I looked over http://www.mysql.com/doc/M/i/Miscell...functions.html and was hoping someone could point me in the right direction.

    Thanks

  2. #2
    You want what? By when?? Milamber's Avatar
    Join Date
    Jan 2001
    Location
    California
    Posts
    342
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know that some people will do some sort of encryption before sending a user's password to the db, however I don't.

    I just use two columns, usually VARCHAR(30) for both. One holds the username, and the other the password - both in plain text. Of course, on my site, the db, and pages accessing the db are on the same machine so no data ever goes anywhere it shouldn't.

    This is convienient and easy - but if anyone else knows why I shouldn't do this, let's hear it.
    -Jeff Minard | jrm.cc - Battlefield 2 Stats

  3. #3
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i strongly recommend that you do NOT store passwords plain text. it doesn't matter if everything is on the same server. anyone with access to the DB can see passwords -- YOU can see passwords. what i use, along with all the forums software, is md5(). it's great. you can use PHP's or MySQL's md5() function. i would recommend using PHP's; that way the password is encrypted in the query, so it isn't visible in any query logs. if you need to have a "I forgot my password" thing, simply make a new, random password, and send it to them.

    if you need an example of how to use md5(), here:

    PHP Code:
    $password md5($password);
    mysql_query("INSERT INTO table SET password='$password'"); 
    you can make the password column CHAR(32) since md5()'s output is always 32 characters.

    oh, and to check a password, you simply encrypt it and compare it to the encrypted one.
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  4. #4
    You want what? By when?? Milamber's Avatar
    Join Date
    Jan 2001
    Location
    California
    Posts
    342
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by DR_LaRRY_PEpPeR
    i strongly recommend that you do NOT store passwords plain text. it doesn't matter if everything is on the same server. anyone with access to the DB can see passwords -- YOU can see passwords.

    True, but if people have access to your DB, you have bigger problems than someone seeing peoples' passwords.

    However, it's a very good idea, and i think i'll start using that.
    -Jeff Minard | jrm.cc - Battlefield 2 Stats

  5. #5
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Milamber
    True, but if people have access to your DB, you have bigger problems than someone seeing peoples' passwords.
    no problem if it was read-only access. i mean like administrators or something like that -- and yourself even. i feel better not seeing people's passwords.
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  6. #6
    SitePoint Guru
    Join Date
    Jan 2001
    Location
    Alkmaar, Netherlands
    Posts
    710
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    I agree with DR

    I would not register with any website who I know/suspect that they store my password as it is.
    It is very simple security issue that they should handle if they cannot handle this, how can they keep other information private?
    IMHO

  7. #7
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree, people use the same passwords on different sites so it's better if nobody can see them

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  8. #8
    SitePoint Zealot pnathan's Avatar
    Join Date
    Sep 2001
    Location
    Amsterdam
    Posts
    160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have just implemented this encryption script (using the md5() function) and came across the following problem, it concerns when you want to login after the user has set up their password.

    The script you use to verify that the login password is the same as the encrypted one in the database:

    PHP Code:
    $sql "SELECT * FROM user WHERE username = '$username' AND md5('$password')"
    I was confused by the later part of the script. The checking of the password. Just thought I would point it out in case other Sitepoint Memebers were having the same problem.

    I have two tickets to the Crows, sweet.

  9. #9
    You want what? By when?? Milamber's Avatar
    Join Date
    Jan 2001
    Location
    California
    Posts
    342
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    do the MD5() function outside in the PHP code. Don't do it in the mysql query - this could be messing things up.
    -Jeff Minard | jrm.cc - Battlefield 2 Stats

  10. #10
    SitePoint Zealot pnathan's Avatar
    Join Date
    Sep 2001
    Location
    Amsterdam
    Posts
    160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have it working, but that is a good idea, thanks for that.
    I have two tickets to the Crows, sweet.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •