I am having a problem with the password storing in mySQL . It is something like this .
I have a form for my user to change their password and in that form there is an input field called old_password . And in the database the password i stored were all encrypted with the function PASSWORD() in MySql ,so the problem is that i could not make a comparision between the $$old_password and the encrypted password in the database bacause i haven't known the function to decrypt the password in the mySQL database .
Do anyone give me the answer to this ?

DON'T CROSS-POST!!! :mad:

http://www.codingforums.com/showthread.php?s=&threadid=18510

::] krycek [::

Look at u man , u did that too .
http://www.codingforums.com/showthread.php?s=&threadid=18510 ,
all i wanna is the answer to this question .
No matter how much time do i have to ask

Bahy, don't get mad. You shouldn't crosspost. Period.

Now lets move on to your question.
I'm a bit confused there. With user, do you mean MySQL users are users of your application? If they are application-users, then you shouldn't encrypt there password inside the db. Just store it there like they type it in. If you need to encrypt it for extra security, choose your own encryption algorithm (and you'll have the key to generate the original value)
This way the comparison problem is gone.


If it are MySQL db-users, then it's kinda risky to let them change it thereselves in your app. This should then better be done by the DBA.

If you can't compare it, how do you then identify the users? They will have to fill in some logonform, no? There you'd have the 'old' password. You could store that somewhere (sessionvariable or so, even encrypted if necessary) and retrieve that value if the submit the 'change password' page were theu had to fill in there old an new passwords.


Just some thoughts.

Originally posted by bahy
Look at u man , u did that too .
http://www.codingforums.com/showthread.php?s=&threadid=18510 ,
all i wanna is the answer to this question .
No matter how much time do i have to ask

no.

I didn't cross-post.

::] krycek [::

I am talking about the user of the application the application .Like all you said above , the way of password encryption , it is that .
But when we use MySQL , it has a function password() that return a encrypted string for us . But we only can user this in the query sentence only . When the users register i make a query using this function like this
"INSERT INTO user(username,password) VALUDE('$username',password('$password'))" ;
then when the user do the logon i make another query
"SELECT * FROM user WHERE username='$username'" AND password=password('$password'); then it went right .

Next when i want to compare a $var with the password stored , as you Raf told before , i must know the key to the encryption of the mySQL function password() , but i don't , so i am asking here if anyone knows and share with the others .
That's what i am looking for .

OK. So the user logs in. Then you have his old password and you could store that in a sessionvariable and retrieve it when he want's to change it.

Or you ask it again on the "change password page". Which is also more secure. I've seen some db's and applicatiosn doing this.

The form then looks like

Old paswword : __________
New password : ___________
Retype new password : __________

You then have all the info you need to select the right record and update the passwordvalue. Something like

$updatesql = "UPDATE user SET password='" . passsword($_POST["newpassword"]) . "' WHERE password='" . password($_POST[oldpassword"]) ."' and username="'. $_SESSION["username"]

Will this decrypt the password

No.

Passwords should be stored as the result of an irreversable but repeatable encoding algoritme

Whet you then do is store encrypt(value)
When the user logs in, you use the same encoding algoritme withe the same seed, and if the user aentered the original value, the outvcome will be the same.

So you compare the result of two identical processes, that only have the same output if the inputvalue was the same.

Cool!

sorry i've some question here...

sorry I have a question here....
I've used the password() function...but I don't know how to decript that....
I really need that because right now I'm building a forget password menu and I really need a decrypted password... please help me.. thanx...:)

PASSWORD is a non-reversible encryption algorithm.

If you need to use reversible encryption, look at AES_ENCRYPT/AES_DECRYPT, DES_ENCRYPT/DES_DECRYPT (only for SSL connections), and ENCODE/DECODE.

Please see the manual for more details on the Encryption algorithms available for MySQL.

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html

Short and simple answer, if you can decrypt the password then it isn't safe.

Long answer, don't use PASSWORD() for anything other than creating a password for a user in mysql. If you are using it through an interface or storing them for any other reason (i.e. creating a password for users in your application or website etc.) then you should not be using PASSWORD as mysql themselves warn. They change the algorithm from time-to-time and it isn't always compatible moving forward.

You should use SHA1 as your password hash. You then should NOT try to decrypt the password. you should compare the password entered with the hash of it against the one in the database. if they match, grant access, if they don't then deny it. If they need a new one you issue one via email or whatever.