----- Original Message -----
From: "Anthony Ettinger" <aettinger@xxxxxxxxxxxxxx>
You should encrypt the password in the database, with a one-way hash,
then you simply compare what's in your db to what the login form
submits.
That way if you get hacked, or your admin goes postal, you won't have
people's unencrypted passwords in the database.
--
It should say:
"You should encrypt the password in the database, with a one-way hash,
then you simply compare what's in your db to [the hash of] what the login
form
submits."
That is, when you first store the password, you first hash it (usually, you
would use the function md5() ). Then when you do the select, you put in the
where:
.... " WHERE `username` = '$username' and `pw`='" . md5($password) . "'";
And you don't store the password in a session variable or anywhere else, you
encript it (one way) you check it, and you forget about it, you never put it
in the clear anywhere. After all, session data goes somewhere in the disk,
and with an obvious name as password, it wouldn't be hard to find, even if
you don't have access to the database, for example, an example of the
contents of a session file:
IdUsr|i:999;level|s:1:"2";usr|s:6:"satyam";
Easy to understand:
IdUsr, an integer, containing 999
level, a string of one character containing a 2
user, a string of 6 characters containing 'satyam'
would you like to see something like
password|s:10:mypassword;
If you are using MySql isam files, locate the file with extension MYD and do
an hex dump of it. If you are database is called MyDb and your Users table
is called Users, locate MySql/data/MyDb/Users.MYD and dump it.
Now, you might be wondering what is the database password protection, don't
you?
Satyam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
