[thelist] don't know what this SQL does...

David Bindel dbindel at austin.rr.com
Sat Aug 30 15:41:56 CDT 2003


Walter Torres wrote:
> David Bindel wrote:
>> PASSWORD() is a MySQL function that hashes (encrypts) a string so as 
>> not to be stored in plain text.  If you don't encrypt passwords, if 
>> your database is cracked into to, the cracker will have very easy 
>> access to all the passwords that are stored.
>
> So, if this is a mySQL function to encrypt a password, how would you 
> retrieve this password for validation?

You don't.  :-)

You can't decrypt, but you can encrypt other things and then compare the
encrypted values.

To compare the password hash in the database with a password from a
login script (for example), you compare the passwd field in your
database table to PASSWORD('$password').

Here's some example SQL (in PHP):

$sql = "SELECT userid FROM sometable WHERE passwd =
PASSWORD('$password')";

That compares the hash stored in the database to the hash of $password
(the user input).

I hope that makes sense... if not, someone else here can probably
explain it better.

HTH,
David

-- 
    David I. Bindel
  Website Development
 dbindel at austin.rr.com
  www.davidbindel.com



More information about the thelist mailing list