>> password stored with reversible encryption
Posted: Fri 21. Nov 2003, 22:38
hello
it seems like you already changed stuff with password handling,
when i read this thread.
but i think it's a very bad idea, to store passwords in a reversible format in the database.
the mysql manual has already be quoted in this thread, so i will to:
from the other available methods in mysql MD5, SHA, AES & DES the most compatible one would be MD5.
with php functions it could be done without the need for mysql 4.x.x or mysql with SSL-support, but the mcrypt & mhash extensions are not the standard.
so when you already have a solution with crypting the password on clientside with SHA and then validate it with a php function (no mcrypt or mhash) on login serverside it would be nice.
but since you already require a relatively new php, one could use the sha1 function available since php 4.3.0
could you post your clientside solution ?
it seems like you already changed stuff with password handling,
when i read this thread.
but i think it's a very bad idea, to store passwords in a reversible format in the database.
the mysql manual has already be quoted in this thread, so i will to:
i know, the crypted string is protected by a password, but how do you manage this ? hardcoded password for crypting with ENCODE or configurable one ?ENCODE(str,pass_str)
Encrypt str using pass_str as the password. To decrypt the result, use DECODE(). The results is a binary string of the same length as string. If you want to save it in a column, use a BLOB column type.
DECODE(crypt_str,pass_str)
Descrypts the encrypted string crypt_str using pass_str as the password. crypt_str should be a string returned from ENCODE().
from the other available methods in mysql MD5, SHA, AES & DES the most compatible one would be MD5.
with php functions it could be done without the need for mysql 4.x.x or mysql with SSL-support, but the mcrypt & mhash extensions are not the standard.
so when you already have a solution with crypting the password on clientside with SHA and then validate it with a php function (no mcrypt or mhash) on login serverside it would be nice.
but since you already require a relatively new php, one could use the sha1 function available since php 4.3.0
could you post your clientside solution ?