Operating System - LinuxのトピックRe: PHP & MySQL related query

PHP & MySQL related query

kcpant — Tue, 13 Sep 2005 00:43:32 GMT

Hi friends,

Not sure I'm putting my query inside proper category.This is related to password() function of MySQL and md5() function of PHP. I'm wondering that the result (encryption) produced by both command options is same or different. I want to make login procedure secure into my webpage, and using password() option to encrypt passwords into mysql databse. also I MD5ed the password entered by user at login.php by md5() option. but when I'm making a match expression (if password of php == password of database), i found i'm not able to login, which means both are not matching. It works fine if I enter text password in database and accept plain-text password from login.php. It shows that the encryption made by both commands are different, that's why the match exp. not resulting true.

Also, I'm getting an error display "cannot jump to row 0..." on login page. I know it is because of mysql_result() function, but I don't want it to be displayed on my login page.
I'm attaching the simple login.php script for your review.

thanks in advance

Re: PHP & MySQL related query

Sergejs Svitnevs — Tue, 13 Sep 2005 07:11:12 GMT

Hi,

Why do you use password function in mysql?
The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() instead.

Regards,
Sergejs

Re: PHP & MySQL related query

Stuart Browne — Wed, 14 Sep 2005 03:20:30 GMT

The encryption used by MySQL's 'password()' function is very different from the 'md5()' based encryptions.

You either use PHP's md5 functions, and store the md5 string (as plain-text) in the MySQL database, or you just use MySQL's password() function.

One, or the other.

Re: PHP & MySQL related query

Karsten Breivik_1 — Thu, 15 Sep 2005 02:49:06 GMT

Also, remember that there is a difference in the password function btw versions 3.2 and 4.0 (Esp the length of the encrypted string is different). Make sure you use the 4.0 correct MYSQL client library on the application side of your system - I guess this would be in apache.

Re: PHP & MySQL related query

kcpant — Thu, 15 Sep 2005 03:10:45 GMT

Hi Friends,

Thanks for the help provided by you all, but I'm sorry I think I was not able to explain the problem to you properly. Let me do it again:

scenario is : I'm using Mysql database to store username, password and group into a table. password is encrypted inside the table by using passoword('actual password entered by user') function at the time of inserting data. Now, I want to use a php login page on my website to authenticate user matching mysql data. I'm using php's md5() function to encrypt password entered by user on login.php form, and then I'm matching it against mysql's password. I found they are not getting matched, I understood ( as SB explained) that it is because of different type of encryption by md5() & password().

Now, as SB suggested to use either password() or md5(), I'm not able to understand if I use encryption on only one end ( either in database or in login.php form), how could they match and return true? please guide me to understand this...

thanks in advance, and please also let me know the solution for the error display as explained in first post.

Re: PHP & MySQL related query

Karsten Breivik_1 — Thu, 15 Sep 2005 03:18:07 GMT

Not entierly sure if this is what you are looking for, but with mySql version 4.1, MySQL ODBC 3.51 Driver users must use a password coded 'old-style'.
To accomplish this, update users with the following SQL:

mysql> USE mysql;
mysql> UPDATE mysql.user SET Password = OLD_PASSWORD('newPassword') WHERE Host = 'someHost' AND User = 'someUser';
mysql> FLUSH PRIVILEGES;

Re: PHP & MySQL related query

Stuart Browne — Thu, 15 Sep 2005 03:18:15 GMT

MySQL entry:

insert into usertable (user, group, password) values ('userone', 'group1', password('actualpasswordenteredbyuser'));

Pretty standard, you'll have

Login.php:

select user, group, password from usertable where user = 'userone' and password = password('passwordfromlogin.php');

Basically, you get MySQL to do the password matching. If you get a record back, then you've successfully entered the password. If you don't get any records back, then they made a boo-boo.

Re: PHP & MySQL related query

renarios — Wed, 21 Sep 2005 05:58:56 GMT

Hi,

In the /etc/httpd/conf.d/auth_mysql.conf there are a few comment lines how to manage your issue. Look in that file and find your answers.

Hope that helps,

Renarios

Re: PHP & MySQL related query

David Logan_2 — Wed, 19 Oct 2005 01:41:12 GMT

Hi,

I presume that you are having a problem getting the password into the database in a valid format in the first place. Why not, when you insert the userid/password into the database, use the MD5 function in MYSQL?

eg. INSERT into table SET password=MD5('string');

Regards

Re: PHP & MySQL related query

kcpant — Wed, 04 Jan 2006 02:05:42 GMT

Closing threads open from a long time....