[Vasudevelopa]

Can anyone share methods for storing user passwords in a database? Here is what I've come up with...when my script processes a registration form it will: $newPW = crypt($txtPW). When I enter this into the database: INSERT INTO table VALUES(..., password('$newPW'), ...). Now it is double encrypted I guess. Finally, if I they login I will check the password they enter:
</font><blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">code:</font><hr /><pre style="font-size:x-small; font-family: monospace;">$storedPW = mysql_query(&quot;SELECT password FROM table WHERE userid = '$txtID'&quot;
$storedDecryptedPW = mysql_query(&quot;password('$storedPW')&qu ot;//is this a proper query?
if (crypt($txtPW) == $storedDecryptedPW)
//valid</pre><hr /></blockquote><font size="1" face="Geneva, Verdana, Arial, sans-serif">So when a user registers their password is encrypted with crypt(), then entered into the db using password(). When I retrieve the password for logging in I decrypt using password() and compare two crypt() password values?

[Simon Mundy]

It's not really a case of 'vs', but of how they work together. They both use a non-reversible hashing algorithm which means you can use the functions together to perform a query.

For example, in a MySQL database 'users' you have the fields 'uname' and 'password' with the primary key being 'uname':

'insert into users ('testuser',password('mypassword'));'

will insert a dummy user into your MySQL database with an encrypted password. To authenticate that password from PHP you could simply do this:

$pass = crypt('mypassword');
$uname = 'testuser';
$mysql = mysql_select_database('users');
$auth = mysql_query("select count(*) from users where uname='$uname' and password='$pass'");

If $auth is not equal to one, then they're not authenticated.

There is NO decrypting these values - using password() and crypt() is a one-way street. So if people forget their passwords, they need to be reset.

Head on over to <a href="http://www.zend.com" target="_blank">http://www.zend.com</a> or <a href="http://www.php.net" target="_blank">http://www.php.net</a> for some great examples of usage. The user-submitted comments are the most beneficial. Cheers

[Vasudevelopa]

Thanks for clearing that up. I guess I don't really want these functions if they are 1-way encrypted. I am planning on using email address and password for login. I want to be able to email forgotten passwords and at the same time keep the passwords securely encrypted in the database...from what I read in MySQL docs I can use encode() / decode(), aes_encrypt() / aes_decrypt(), or des_encrypt() / des_decrypt()
and password(), md5(), sha[1]() are 1-way encryption.

[ilukas]

How does this sound? Using password('$password') both in the INSERT and the SELECT queries.

[Vasudevelopa]

Yeah, using password() will work for logging in, but I also need to be able to send a forgot password? email to the user. So, I need encryption and decryption. I can do this with some of the other enc/dec functions, but this means that the decryption key must be stored as a variable somewhere online. I just feel a little uneasy about this. I am also trying to come up with a method for storing credit cards so that is the real reason why I am uneasy about using an encryption method whose key is stored online.

[ilukas]

so, does anybody have a clue how to go about resetting the passwd an giving the user a new one?

what kind of thing is most sensible to do? hopefully not leaving it blank. maybe just generating some random number/letter password, emailing it to the user w/ a link to where they can change the password?

BTW, i wouldn't store CC numbers anywhere online. Sure, Amazon.com does it, but unless u've got a super-powerful Oracle-like db, i think it just ain't safe.

[Vasudevelopa]

For passwords, just don't use a 1-way encryption function(password()). Try encode()/decode() functions. For storing a database with cc's, I think you would need a box storing the db, connect that box to the webserver. That would make it pretty tough to get at since it wouldn't be directly accessible to the internet.