What kind of Admin is that, if he/she will trick atround with User's passwords? At least, such a person has to be FIRED and never stay close at servers at all. Yes, you are right. But there is always more than one way to solve a task. I have desided to do so, on order to give users more flexibility. What if I want to reset my old password? Is it easier to enter the site and to change it or to click forg. pwd, then to wait till the link comes and after that to click again and so on.... If it all happens on a Dial-Up conneciton with 28.8 K Modem, on pulse line, try to imagine what the users is mumbling...! Plamen Jelezov. "Cpt John W. Holmes" <holmes072000@charter.net> wrote in message 00da01c305a9$94bde270$a629089b@TBHHCCDR">news:00da01c305a9$94bde270$a629089b@TBHHCCDR... > Just my opinion, but passwords shouldn't be stored in a method that can be > decoded. I don't know about you, but I can't remember a different password > for every site that I use, so sometimes I repeat them. I don't want you or > some rogue admin decoding my password and trying it at various sites. > > Just implement a method to reset the password and leave it be. Don't send > the password over email, either. Send a link with a code that expires in say > 30 minutes or so that will enable the user to reset the password or use a > pass phrase/question or something... > > ---John Holmes... > > ----- Original Message ----- > From: "Plamen Jelezov" <pj@bmtc-bg.com> > To: <php-db@lists.php.net> > Sent: Friday, April 18, 2003 5:15 AM > Subject: Re: Password Encryption Issues > > > > Hi, > > By my oppinion the problem will be solved, if you don't use password() > > finction at all. Just have in your mind that it is a one-way hash and it > > can not decrypt passwords. Try to use encode() and decode() functions > > instead with a salt key by your choice. > > Of course if you insist on using password() function you will have to > > make a script to reset the password and to send the new one to the > > user's email. Depends on you. > > > > For example, suppose you have a form field $pwd in your insert or update > > pages. Then you need to insert it's value into a DB (here I presume > > MySQL). So you have the job done like this: > > > > $select = "..MySQL specific words .... encode($pwd, '.g') "; > > $query = ..... > > so on > > > > where '.g' is the salt key and the password from 'test' will look like > > 'ddIIjdmnm9' in the DB. > > > > Supose you have to take it back and return into human readable > > characters in order to give the User a chanse to change it. So you write > > the following: > > > > $select = "..MySQL specific words .... decode(pwd_field_Name, '.g') "; > > $select .= "where User_ID = 'whatsoever'"; > > $query = ..... > > so on > > > > where '.g' is the same salt key and 'pwd_field_Name' is that column that > > contains your encoded passwords. > > > > That's it. > > Hope this help. > > pj > > > > Erwin Kerk wrote: > > > Probably the password() function relies on some server-specific data.... > > > > > > Erwin Kerk > > > Web Developer > > > > > > Lindsey Gregory wrote: > > > > > >> Hello all, > > >> > > >> This is kinda hard to explain, but I am having a problem with pass > > >> encryption/decryption stuff. I had a section of my website protected by > a > > >> cookie-based log in that authenticates from a database (mySQL) of > > >> user/pass > > >> combinations... anyway, I am moving that website from one server to > > >> another... The username and password are exactly the same in the new > > >> DB as > > >> it was in the old one... and of course, I have them encrypted... but > it > > >> wont authenticate because the sql query is spitting out a different > > >> encrypted pass from the login form so when I do the following query: > > >> SELECT > > >> id FROM table WHERE ((username = '$username') AND (password = > > >> PASSWORD('$password')) the encrypted password there is different than > the > > >> enctypted pass in the DB. > > >> Any help with this would be appreciated! thanks! > > >> -lindsey > > > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
