[Resolved] Encrypted connection to MySQL?

4rxsid

Hi all,

I've recently upgraded my mysql to v 4.1.1 and set the Passwords in the user table to the mysql Password() function.

Now, this doesn't work anymore (which is a good thing, cause it's plain text):

mysql_connect ("localhost", "theID", "thePassord");

gives me this error:

Client does not support authentication protocol requested by server ...

Since my mysql.mysql user table now has the 41 bit encrypted passwords stored...how to I connect with my php scripts?
I've tried md5(), sha1()...but they don't generate the same 41 bit encrypted password.

Anyone have a suggestion?

Thanks!

poison

AFAIK
you need the mysqli extension, the mysql extension doesn't work anymore for 4.1+
http://php.net/manual/en/ref.mysqli.php
regards

4rxsid

wow...that's awesome, I guess I didn't pay too much attention to the newer php v5 and it's mysqli updates.

problem is though, it still appears that they are sending password as plain text like before, just now it with the new

$link = mysqli_connect("localhost", "my_user", "my_password", "world");

my_password is still plain text.

any other suggestions?

poison

the passwd is only sent encrypted when using SSL ->
http://php.net/manual/en/function.mysqli-ssl-set.php
regards

4rxsid

hmm...

so in short, there is no way for php (via a native function, or ?) to take a password and encrypt it to match the encrypted password in the mysql 4.1.1. db.

in other words, password mypassword is stored in the db for user localhost on host=localhost, in the user table via the password(mypassword) mysql function.

then, when trying to make a db conection via a web script using user localhost and password mypassword, there is no way to encrypt that password so that it matches that of the mysql encryption?

sounds like one of the php conributing developers should code a function to do just that. i would...but im no where near that good 🙂 just full of lots of questions!

poison

AFAIK...g the PASSWORD() function in MySQL is a one-way-hashing function, like md or sha, which means it can't be decrypted. a native PHP function would, by the way be pretty useless. if your after transmitting the password /securely/ from PHP to the MySQL server there is only one option...
use SSL connection to server...this will guarantee that the password and the data is beeing transmitted between php and the MySQL server safely. this is supported by the mysqli api natively
it doesn't make any difference if your transmitting a plaintext password or a hashed passord in plaintext...or even transmit the encrypted password in plaintext...if you know what I mean...it's all the same..
you can probably test the password with with an SQL query (didn't find anything useful on that...). a quote from the manual:
Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application.

I still don't get what you wanna do with the password function...the plain mysqli_connect() function will deal with your password...and handle the authentification procedure...
sorry...I'm for the typos and syntax errors when your parsing this...I'm a bit tired
regards

4rxsid

thanks for the reply and trying to understand my ?

i guess what i don't understand, is why would mysql come out with such a function like password() .

after i set up the users in the user table with their passwords encrypted via password(), i couldn't authenticate into the table...by web script using mysql_connection (or mysqli_connection) OR by the dos command line mysql>

i had to shut the server down, and restart using --old-passwords which then let me authenticate via command line, but still not via web connect.

it starting to appear to me that i need to abandon the password() functionality built in to mysql 4.1.1. and just go with good ole' md5().

thanks anyway!

4rxsid

solved:

i stored the password in the db by using password($newpassword)

and query it by
PASSWORD('$password_from_form')

i.e., no = sign in there.