Page 1 of 1

Decoding a retrieved password from mysql [answer found!]

Posted: Wed Oct 24, 2007 2:06 pm
by markusn00b
Another day, another question. :)

I'm now onto building a login for my current project - image host.

User submits password > password is encoded
Like so:

Code: Select all

('$username', PASSWORD('$password'), '$dispName', '$email')";
Now say, if i were to email them their password, (they've forgotten it?), it would send the encoded password and not the one they input! And i'm unsure of how to Decode it.

This is just soemthing i was using to see how i could decode it, this isnt the actual way i will go about it ;)

Obviously it doesn't work..

Code: Select all

$query = "SELECT `ziprar_loginPass` FROM `ziprar_users` WHERE `ziprar_loginName` = 'markusn00b'";
$res = mysql_query($query);
while($row = mysql_fetch_array($res)){
	echo $row['PASSWORD(ziprar_loginPass)'];
}
Any ideas?

Thanks :)

Posted: Wed Oct 24, 2007 4:30 pm
by feyd
The PASSWORD function in MySQL is not intended for use outside of MySQL internals. This means all user created tables.

Posted: Wed Oct 24, 2007 4:44 pm
by seppo0010
As feyd sayd, password function is not intended to be used for your application, instead you can use MD5 or SHA1 functions. These are one-way encryption and you can't get the unencrypted value. If you want to make a "forgot your password?" you can generate a new random one, overwrite the previous pass, and send it by email. If you want to be able to decrypt it, you should use AES_ENCRYPT / AES_DECRYPT, or DES_ENCRYPT / DES_DECRYPT. You can found more information in MySQL manual http://dev.mysql.com/doc/refman/5.1/en/ ... tions.html

Posted: Wed Oct 24, 2007 5:11 pm
by feyd
I'll add that there are even stronger hashing methods. One I wrote, for example (search for SHA256) .. Also, unless there's a really really good reason to be able to decrypt the passwords, never store them in a format that can be decrypted.