NYCPHP Meetup

NYPHP.org

[nycphp-talk] security, sessions, and encryption

Aaron Fischer agfische at email.smith.edu
Tue Mar 16 09:48:52 EST 2004


OK, so:

1.  SSL protects the data from being sniffed out as it goes from the 
form on the client machine to the server.  This seems to be the only 
way, or at least the best way to prevent the data from being 
transmitted in the clear?
2.  When you crypt their password to compare it to the one stored in 
the database, and it's a one way encryption, that means that the 
password stored in your database has been put in via crypt as well at 
some point, correct?

-Aaron

On Mar 16, 2004, at 9:28 AM, Jeff Siegel wrote:

> For login purposes, I have people log in through SSL and have their 
> passwords encrypted using "crypt." Crypt does a one-way encryption so 
> you encrypt their password that they input on the form and compare it 
> to what's stored in the database. (Basically no. 2 in your list.)
>
> If someone should somehow gain access to the database or some other 
> catastrophe might occur, they'd see something like the following in 
> your table's password field: LSoxL6eUJCUYg. (Of course, if someone 
> gained access to your database...you've got bigger issues to handle.)
>
> Jeff Siegel
>
> Aaron Fischer wrote:
>
>> Hi all,
>> I'm working up a little application that will require password 
>> authentication to gain entry into the site.  The login page will 
>> query the username/password information that is stored in a MySQL 
>> table.  I plan on using sessions to enable the authorized user to 
>> travel around the site and also to prevent an unauthorized user from 
>> gaining access to the site.
>> My main questions revolves around encryption.  The sources that I 
>> have been referencing advocate for encrypting the password during the 
>> authentication process.  However, I've been frustrated by how briefly 
>> this topic is passed over in my books.  The little application that I 
>> am working on now only has fairly low level security needs and 
>> encryption may be overkill, but I have another project coming down 
>> the line where the security needs will be greater, so I might as well 
>> get started learning this stuff now!  Like, one question I have is, 
>> why encrypt?  What am I preventing from happening?
>> In general I am interested in what methods of securing an application 
>> folks recommend.  I'd like to read up about general theories on 
>> protection and types of misuse/attacks as well as learn about 
>> specific methods of protection.  I'd also be interested in hearing 
>> references for good books that deal with security (shameless plugs 
>> are welcome).
>> The two methods I have seen recommended so far are:
>> 1.  MySQL encryption via "password" function:
>> A preexisting script I inherited uses this method where the form 
>> submission is encrypted in the SQL query statement.
>>     "select * from tablename where name = '$_POST[name] and pass = 
>> password('$_POST['password'])";
>> So, the password is encrypted using MySQL's password encryption and 
>> is compared to the encrypted version stored in the table.  However, 
>> when I read the MySQL documentation, I came across these lines:
>>     "Note: The PASSWORD() function is used by the authentication 
>> system in MySQL Server, you should NOT use it in your own 
>> applications. For that purpose, use MD5() or SHA1() instead. Also see 
>> RFC-2195 for more information about handling passwords and 
>> authentication securely in your application."
>> So, it seems that this method is a no-no.
>> 2.  Encrypt using php, which can use the available encryption methods 
>> which are available on the server operating system.  In the book that 
>> recommends using crypt() my issue is that it doesn't explain how it 
>> is working or what's going on behind the scenes and I haven't been 
>> able to find good documentation online that will help me either.  The 
>> crypt() code line in the book is:
>>     "if ( (crypt($password, $result[password])) == $result[password]) 
>> {  // start session
>> I'd appreciate any feedback on the afore-mentioned methods, as well 
>> as book or online resource references.
>> Cheers,
>> -Aaron




More information about the talk mailing list