Storing passwords in Oracle

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Tubbietoeter
Forum Contributor
Posts: 149
Joined: Fri Mar 14, 2003 2:41 am
Location: Germany

Storing passwords in Oracle

Post by Tubbietoeter »

Hi,

I want to keep users to a web site in a database. The passwords must be encrypted. If the user logs in, the password he entered must be compared to the password that is stored in the database.
I haven't found an Oracle function to encrypt and decrypt passwords, so I guess I would have to do that in PHP.
What would be the best approach? As far as I know there are several possibilities but I just don't know which one is best.
Can someone maybe post some code here I could use?

Thanks,

Steff
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

You NEVER need to decrypt a password. All you do is encode the password the user enters and then compair that value with what is stored in the database. md5() is usually fine for the encoding.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

It does make the traditional "Forgot Your Password" feature rather obsolete, but instead of displaying the password they forgot, you just need to take them to an area to make a new one.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

Well its also far more secure if you never decrypt the password. With things like "forgot your password" where it emails you your password is very insecure as anybody could intercept it or read your mail, and with users generally using the same password for all things - its a huge problem.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

kettle_drum wrote: With things like "forgot your password" where it emails you your password is very insecure as anybody could intercept it or read your mail, and with users generally using the same password for all things - its a huge problem.
Forgetting password is insecure by definition :lol:
Tubbietoeter wrote:The passwords must be encrypted. If the user logs in, the password he entered must be compared to the password that is stored in the database.
[php_man]md5[/php_man] or [php_man]sha1[/php_man] is what you need.

PS: There were rumours that someone has found md5 collision, not sure if it was true but anyway...
Tubbietoeter
Forum Contributor
Posts: 149
Joined: Fri Mar 14, 2003 2:41 am
Location: Germany

Post by Tubbietoeter »

Thanks all. That is what I needed to know.

So a varchar2 datatype should be fine for Oracle then. Cool.
Post Reply