[thelist] don't know what this SQL does...
David Bindel
dbindel at austin.rr.com
Sat Aug 30 15:41:56 CDT 2003
Walter Torres wrote:
> David Bindel wrote:
>> PASSWORD() is a MySQL function that hashes (encrypts) a string so as
>> not to be stored in plain text. If you don't encrypt passwords, if
>> your database is cracked into to, the cracker will have very easy
>> access to all the passwords that are stored.
>
> So, if this is a mySQL function to encrypt a password, how would you
> retrieve this password for validation?
You don't. :-)
You can't decrypt, but you can encrypt other things and then compare the
encrypted values.
To compare the password hash in the database with a password from a
login script (for example), you compare the passwd field in your
database table to PASSWORD('$password').
Here's some example SQL (in PHP):
$sql = "SELECT userid FROM sometable WHERE passwd =
PASSWORD('$password')";
That compares the hash stored in the database to the hash of $password
(the user input).
I hope that makes sense... if not, someone else here can probably
explain it better.
HTH,
David
--
David I. Bindel
Website Development
dbindel at austin.rr.com
www.davidbindel.com
More information about the thelist
mailing list