Dietrich Bollmann wrote: > As far as I remember, in all books I read about PHP and SQL, the > password was stored in an encrypted form, even when all the data which > should be protected by the password was stored in the same database. > > Can anybody tell me what is the motivation behind this approach? The general idea is that only one person should have the password in clear text. If you store it as clear text, anyone who's got access to the database can read the password. > The person who asked me to write this file server wants everybody who > to receive the same link together with the same password for the same > file. Well, if _lots_ of people have the password anyway, there's no need to be secretive about it :-) > By the way: in most cases, when pushing the "I forgot my password" > button, an email with a user name and a link to activate the password > is generated. Anybody who gets into the possession of the email could > access the data... Should I rather send two emails, one with the > link, one with the new password? If you're _really_ converned about this, you send a new password by recorded/registered mail (Einschreiben). /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
