CodeCharge Studio
search Register Login  

Visual Web Reporting

Visually create Web Reports in PHP, ASP, .NET, Java, Perl and ColdFusion.
CodeCharge.com

YesSoftware Forums -> CodeCharge Studio -> Tips & Solutions

 How To- Encrypt Passwords: Mysql and PHP

Print topic Send  topic

Author Message
ckroon

Posts: 868
Posted: 06/27/2008, 11:30 AM

(This is from Walter Kempees..hope it helps someone.)

It is described in 4.x Help file.
Help search: Advanced Security Settings

Basically if you have an application using a users table, a login form and no encryption:
(Based on Internet example database).

1: choose the method of encryption you like or need, One-Way or Two-Way.
One-Way (MD5()), will encrypt your password. There is no decryption method.
Two-Way (Password()) will allow for decrypting.
If your user has a way to retreive his previously entered password (could be a requirement), you need Two-Way,
else you need to generate a new password and e-mail that to the user in order for the user
to be able to login to reset his password. The flow of this process is beyond the scope of this post.

2: Alter your user table's password field from readable to encrypted using he encryption method choosen.
It is a (My)SQL command that does this for you.


UPDATE users SET user_password=PASSWORD(user_password);

The PASSWORD(user_password) is for Two-Way, MD5(user_password) would cater for the One_way method.
The command you can issue through the use of you DatabaseTool like PhPMyAdmin, Navicat or any other.

3:Once that is done, you will have to go to your application, Project Settings, Security click Advanced and set it to the choices you have made earlier and described in mentioned Help Article.
Basically, check the checkbox "Encrypt passwords using" choose Database Function and enter either "PASSWORD" or "MD5". (no brackets () )
Press F9 to have your application regenerated and it should work out-of-the-box.


A few notes:
Never do this on a running application, nor during up-time.
You will need time, the SQL-Update can be fast, Uploading the changed application takes longer.
Using the MD5() method, you have NO means to retreive the user entered password (should you?).
The length of the user_password field is of interest here, a varchar(8) (seen often) is to short varchar(25) would be more applicable. The size of the field determines the encryprtion key generated (MySQL 16 or 41-bit key).
Remember that the user types in a readable password at the client side, it is then encrypted at server side and the login testin takes place.
In principle it is still possible to "steal/sniff" the password during network transport, that can only be solved by using SSL, HTTPS, certioficate.


Hope this is what you asked for and meets your needs.

Walter
http://donate.consultair.eu
_________________
Walter Kempees...you are dearly missed.
View profile  Send private message
joejac

Posts: 242
Posted: 03/29/2009, 7:30 AM

Hello,

Please be aware that for "Encrypt passwords using" Database Function "PASSWORD" the length of the password field has to have a minimum of 50 characters long: varchar(50), no less.

Best regards
joejac
View profile  Send private message

Add new topic Subscribe to topic   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

MS Access to Web

Convert MS Access to Web.
Join thousands of Web developers who build Web applications with minimal coding.

CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright 2003-2004 by UltraApps.com  and YesSoftware, Inc.