password()

Anon

I can use the password() function fine to enter a password into MySQL table, it's retrieving it that's the problem. I'm using the exact code out of a PHP book and I just can't get the darn thing to work. Am i right in presuming that if you set $pass = PASSWORD(mypassword) that MySQL encrypts it and then to unencrypt it you just do the same? ie. $pass = PASSWORD($password) (where $password is the value entered into the login form?

Here's the code:
<?
session_start();
if ($op == "ds") {
$connection = @mysql_connect("localhost", "admin", "gorillaz") or die("Couldn't connect.");
$db = mysql_select_db("neaDB", $connection) or die("Couldn't select database.");

$sql = "SELECT * FROM user WHERE username = \"$username\" AND password = PASSWORD(\"$password\")";
$result = @mysql_query($sql, $connection) or die("Couldn't execute query.");

while ($row = mysql_fetch_array($result)) {
	$username = $row[username];
	$password = $row[password];
}
$num = mysql_numrows($result);

if ($num != "0") {
	session_register('valid');
	$HTTP_SESSION_VARS[valid] = "yes";
	$show_menu = "yes";
} else {
	$msg = "Bad Login. Please try again.";
	$show_menu = "no";
}

} else {
if ($HTTP_SESSION_VARS[valid] == "yes") {
$show_menu = "yes";
} else {
$show_menu = "no";
}
}
?>

i've also tried adding: echo "$username $password";

just to see if it's working at all, and it's the encrypted password that is echoed not the unencrypted one.

please help me!!!

[deleted]

That's because the password() function cannot be decrypted.

http://www.mysql.com/doc/M/i/Miscellaneous_functions.html

Anon

The PASSWORD() function is a ONE-WAY encription method. You can't translate a PASSWORD() generated string back to the originally entered password (unless you crack it by trying all possible passwords and comparing the results).

Erik

Anon

but my book (PHP fast&easy) says that the above code doesn't try to un-encrypt what's in the database, but encrypts what the user put in the form then compares that to the encrypted password in the db, ie. comparing the 2 encrypted versions of the password rather than decrypting the password that's in the db.

Anon

Your book is right. It's what I was trying to say in my previous message.

Erik

Anon

so how come i can't get it to work then? it is exactly the same as in the book, and i've also tried changing bits of it to no avail. it's not a setting somewhere is it?

Anon

emily, you aren't quite understanding i think. The theory of this is that someone enters in a password like SPUD and you pass that value throught the mysql function password like password('SPUD') then you insert it into your table and instead of looking like SPUD it now looks like ASDFLK2JK34ASFD or whatever ... after that you can no longer take ASDFLK2JK34ASFD and have it tell you that it means SPUD, you can not un-encrypt that value, at least not with any mysql function. What you are probably looking to do is something like this ...
SELECT count(*) FROM tableName WHERE usersPassword=password('SPUD') This will then encrypt whatever the user submitted through the form and check your database to see if it matches any other encrypted passwords in there.

That is really the only way to do what you are talking about.

Hope this made more sense.

Anon

Yes I understand exactly. The problem is that the MySQL password() function just isn't working, i.e. it isn't producing a hash of SPUD when used through a PHP page, but it is if I do it directly in the mysql monitor. Can you explain that one? I have tried:
SELECT count(*) FROM tableName WHERE usersPassword=password('SPUD')

and other variations on the theme to no avail. I understand that pasword() doesn't un-encrypt and that in this situation i am asking it to compare a hashed version of the inputted password with the password (stored as a hash) in the database.

everyone over at devshed seems stumped too, so it isn't just me being a thicko!