|
Posted by Shelly on 01/02/06 14:44
Side issue that just occurred to me:
I store the user's password for an app in mysql in md5 encrypted form.
Since php is run on the server, does this mean that the unencrypted
password is actually passed over the net? I assume that it is the
unencryted password that is used in the
passwd -O $oldpassword -P $newpassword $username
command.
Assuming I am correct, wouldn't sending the bare password over the net
pose a security breach? If so, how do all those web apps secure
things?
As another aside in this topic, couldn't the app (not running as root)
simply put a short file into a specified area and a cron job be running
to pick it up and to the root priv things (and then delete the file)?
Shelly
Shelly
[Back to original message]
|