|
|
Posted by Jeff North on 07/04/06 01:29
On Mon, 3 Jul 2006 19:05:55 +0200, in comp.lang.php "Alvaro G.
Vicario" <webmaster@NOSPAMdemogracia.com>
<3dekivjoxckt$.v0ni2i9uhbld$.dlg@40tude.net> wrote:
>| Im writing a web application that needs to keep passwords in a database.
>| These passwords are for third-party services and are different from the
>| regular login passwords.
>|
>| I dont like storing this sensitive info as plain text and one-way hashing
>| is not an option because I need the actual passwords. Ive done some quick
>| research and it seems that symmetric encryption algorithms (blowfish, AES
)
>| provide a reasonable solutionI dont need a 100% hacker-proof system but I
>| dont want my security to be too dumb.
You don't mention what database you are using but if you are using
mySQL 5.x then your half way there (but any database that allows VIEWS
will suffice).
What I have done is created 2 Views.
One to retrieve the decrypted password.
One to update/change the user details that also encrypts the password.
The 'get' view looks similar to:
VIEW vw_get_user_details AS
SELECT ID,UName,AES_DECRYPT(Pword,'<36 character encrypt string>') AS
pword from usersInfo;
In php all you will see when validating a user is:
SELECT * FROM vw_get_user_details WHERE Uname='$txtUname' AND
Pword='$txtPWord'";
The $txtUname and $txtPword have been 'escaped' to prevent SQL
injection.
Alternatively you could use .htaccess file if your host allows it.
---------------------------------------------------------------
jnorthau@yourpantsyahoo.com.au : Remove your pants to reply
---------------------------------------------------------------
Navigation:
[Reply to this message]
|