Password in MySQL

[umekille78]

Hi all!Im building a webbpage. The pages users should be able to log in. To do this I thought of putting Username and password in a MySQL database. Along with all the oter information am going to stor on the users such as Name LastName and more.Is ther any way of making MySQL safe enough to hande this? Or can I use PHP in some way, as it is that script that is going to handel the database.All ideas are welkome./Per

[scott100]

Make sure you password protect the database storing that information :)The you can access it with php, for example

$dbc = @mysql_connect ('localhost', 'username', 'password'))

[Nakor]

Yes, you can store the passwords in a safe way. I assume you are going to be using PHP to input it into the database, if this is the case when you input it make sure to enclose the password with one of the hashing calls, ex. shal() crypt()...etc...

[Jack McKalling]

When you need to SQL query to be safe too, as they might be intercepted by third parties, they themself can be safe too.The above query is not safe by itself, try doing this:INSERT INTO table (username,safety) VALUES ('myname',password('somethingblabla'))this way, SQL encodes the password 'safety' with value 'somethingblabla', and the process CANNOT be turned, its permanent. So everytime you are to compare some input with that password, you need to encode the input too.

Edited May 10, 2006 by Dan The Prof

[justsomeguy]

I just want to expand on what Nakor said. Instead of storing the password itself in the database, you want to store an encrypted version of it that can't be decrypted. Here are some functions to encrypt a string:http://us2.php.net/manual/en/function.crypt.phphttp://us2.php.net/manual/en/function.md5.phphttp://us2.php.net/manual/en/function.sha1.phpThese produce a one-way hash, which means that it is a constant-size value that you can't decrypt. MD5 produces a 128-bit (32-byte) string, and SHA-1 produces a 160-bit (40-byte) string. So a string produced by sha1() is 40 characters long. You can look up on the web for differences between md5 or sha1, but you can really use either one you want, or maybe both md5(sha1($password)); But the bottom line is that both of them are generally considered safe, you won't run into problems from someone cracking an encrypted password unless the password is already unsafe (like the password 'password').To do this, you encrypt the password however you want to produce your hash, then you store the hash in the database. When the user tries to log in again, you encrypt the password they type in the same way, and see if the hash for what they typed matches the hash you saved in the database. So instead of comparing password to password, you compare password hash to password hash. There is a reasonable guarantee that two different strings won't produce the same hash, but obviously it's not true for all strings. With a 160-bit string, there are 1.461*(10^48) values, so obviously with infinite strings there would be a collision at some point. But in practice it's not something you have to worry about.If you want to play around with these functions, look here: http://choice.server.tracorp.com/vartest.php (link may go away). You can type something into the box and select one of the PHP functions to execute. If you type something in you can select md5, crypt, or sha1 and see what happens.

[Jack McKalling]

Hey that was what I explained SQL has one encrypting buildt in, password() that is