$sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\' and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password .'\'))'; I use this solution because md5 run faster in Mysql On Wed, Jul 8, 2009 at 10:28 AM, Andrew Ballard<aballard@xxxxxxxxx> wrote: > On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Peters<mpeters@xxxxxxx> wrote: >> Carl Furst wrote: >> >>> >>> <? >>> $salt = 'someglobalsaltstring'; # the salt should be the same salt used >>> when storing passwords to your database otherwise it won't work >>> $passwd = crypt($_GET['passwd'], $salt); >> >> I personally use the username and the salt. >> That way two users with identical passwords have different hashes. >> >> With large databases, many users will have the same password, there are some >> that are just commonly used. The hackers know what they are, and if they get >> your hash dump, they try their list of commonly used passwords against the >> user names that have the common hashes. >> >> By using the username as part of the salt, you avoid that issue because >> identical passwords will have different hashes. >> >> It does mean the password has to be reset if you allow them to change their >> login name. >> > > The password does not need to be reset. You could require that they > provide the password again (even though they are already > authenticated) on the same form with the new username. Then you can do > the same encrypt/compare that you do for authentication, and if it > matches you just update the username and the hash at the same time. > > Andrew > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Martin Scotta -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
