Easily...
As some people have already pointed out, one of the interesting aspects of 2
way or reversible encryption systems is they provide some form of a key,
that is a unique or variable input which is combined into the encryption
process to create a truly unique encypted string.
For example in your situation I would use perhaps a password field.
You could even store this password as a hash in your db for login purposes
and still use the password as the 'salt' for your encryption
For example a user may have stored in a DB table their username and a MD5
hash of their password, which you use when they login in order to compare
the MD5 of the password they entered in the login form to the one stored
already in DB.
You can do the same process for their wages.
When they choose to access their wages they can be prompted for their
password and during generation of their wages/salary page you can use their
'plaintext' password as the 'salt' for your encryption function
I'd personally use the mcrypt extension of php:
http://www.php.net/manual/en/ref.mcrypt.php
Tata and good luck!
---oOo--- Allowing users to execute CGI scripts in any directory should only
be considered if: ... a.. You have no users, and nobody ever visits your
server. ... Extracted Quote: Security Tips - Apache HTTP
Server ---oOo--- ------oOo---------------oOo------ Julien Bonastre
[The_RadiX] The-Spectrum Network CEO ABN: 64 235 749 494
julien@xxxxxxxxxxxxxxxx
www.the-spectrum.org ------oOo---------------oOo------
----- Original Message -----
From: "Kosala Atapattu" <kosalaa@xxxxxxxxxxx>
To: "Micah Stevens" <micah@xxxxxxxxxxxxxxxxxx>; <php-db@xxxxxxxxxxxxx>
Sent: Monday, January 02, 2006 5:20 PM
Subject: RE: Encrypting DB content
This is bit off the topic...but is there a way to encrypt with a key and
decrypt it back to the same value I want to store. My requirement is
something like I want to store salaries of the executives of the
organization in a table, but not even the DBA should be able to see that
except the person who saved it.
Is this possible, through a DB level or using application level
components.
Kosala
-----Original Message-----
From: Micah Stevens [mailto:micah@xxxxxxxxxxxxxxxxxx]
Sent: Saturday, December 31, 2005 12:13
To: php-db@xxxxxxxxxxxxx
Subject: Re: Encrypting DB content
You can store an MD5, or SHA hash of the password, and then
compare.. This is not an encrypted version of the password,
rather a calculated hash of it. You can't (well, not without
a bit of effort) decrypt this back into the password.
The idea is when you store the password, you create the hash.
Store the hash in the database. When the user logs in, take
their password entry, generate a hash in the same way, and
compare the two values.
SHA2 is the most secure method to use of these two, I'd use that.
The advantage is, the hash could be freely accessable to
anyone, and it doesn't cause a security issue, where as all a
hacker needs is the key to an encrypted database of passwords
to reveal them all.
That's the route I take anyhow.. This will likely start a
huge conversation about how to secure your system up super
tight, but remember the most secure server is one that isn't
turned on. :) A realistic solution is somewhere in-between
this and no security at all.
-Micah
On Friday 30 December 2005 8:15 pm, Chris Payne wrote:
> Hi there everyone,
>
>
>
> I am about to launch the website for my complex where the
homeowners
> can login and check their billing status etc .. what is the
best way,
> with PHP and MySQL, to store an ENCRYPTED password into the
database
> so that if someone got into the DB they couldn't read the
password but
> if they enter it into the form on the site it still works?
>
>
>
> I'm not sure on the best way to do this and any help would
be really
> appreciated.
>
>
>
> Happy New Year everyone.
>
>
>
> Chris
--
PHP Database Mailing List (http://www.php.net/) To
unsubscribe, visit: http://www.php.net/unsub.php
--------------------------------------------------------------------------------
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
