Ahh, well then, another solution could be to use SSL, depends on your
application weather you can get away with using an unsigned certificate (free) or
weather you will need to pay a company like verisign to prove your identity.
With an unsigned certificate the browser will warn the user that the certificate says
it's you, but it's not proven by a CA so it might not be you.
The JavaScript MD5 tenique is an interesting way of doing it, but i don't think it's
any more secure. If a hacker sniffs the md5 hash how is that any diffrent than him
sniffing a plain text password? You're comparing hashes, so as long as he has the hash
he's in.
On Thu, Jul 19, 2001 at 01:58:43PM -0500, Sheridan Saint-Michel wrote:
> The problem he is addressing is that the password is sent plaintext to the
> server before it ever gets to MySQL.
>
> I would suggest using a JavaScript program like this
> http://pajhome.org.uk/crypt/md5/md5src.html
>
> and then using the PHP md5 function on the server side and comparing the two
> results.
> That way the only thing that ever gets transmitted is an md5 hash =P
>
> Sheridan
>
> ----- Original Message -----
> From: Jeff Bearer <[EMAIL PROTECTED]>
> To: Tom Malone <[EMAIL PROTECTED]>
> Cc: PHP Users <[EMAIL PROTECTED]>
> Sent: Thursday, July 19, 2001 12:17 PM
> Subject: Re: [PHP] encryption
>
>
> > I'd use the password function in mysql to store encrypted passwords, I'd
> be interested to hear
> > if anyone has a reason that doing this is not a good idea.
> >
> >
> >
> > On Thu, Jul 19, 2001 at 12:52:55PM -0400, Tom Malone wrote:
> > > Hello!
> > >
> > > I have a small problem. On my website there is some information I would
> like
> > > to protect. Right now I am using .htaccess to password-protect the
> > > directory, but I was thinking about using php and a form with
> > > usernames/passwords in a MySQL database. Thankfully, I read the
> following in
> > > the manual right before I was about to use the crypt() function to
> encrypt
> > > my password and compare it to the encrypted hash in the DB:
> > >
> > > "It seems that a lot of people don't understand the point of using
> one-way
> > > encryption. More importantly, a lot of web designers forget that PHP
> > > encryption is done entirely on the web server, not the client.
> > >
> > >
> > >
> > > Point being, if your form has a password input option and the user
> clicks
> > > SUBMIT, the password is then sent _as plain text_ over the Internet to
> the
> > > web server where it is then encrypted for comparison against a password
> > > database.
> > >
> > >
> > >
> > > Do _not_ use these types of functions to add security to a form unless
> > > you're using an SSL or TLS (etc.) encrypted session. The only potential
> way
> > > around this issue is for you to write a JavaScript program that does the
> > > hashing on the client side before being sent over the Internet (which
> would
> > > make this function unnecessary)."
> > >
> > > I am pretty new to PHP and absolutely clueless as far as
> > > encryption/algorithims are concerned. Could anyone possibly point me to
> a
> > > viable solution for this problem?
> > >
> > > Thanks in advance!
> > >
> > > Tom Malone
> > >
--
Jeff Bearer, RHCE
Webmaster
PittsburghLIVE.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
