htaccess / encryption?

N4N01D

Hi, basically what I have is a mysql db with various fields that are encrypted using AES_ENCRYPT / AES_DECRYPT, to do this you need a key, so i have assigned $key as my variable.

I dont want to store any passwords in raw text in any php file or on the sql database as I dont want a nosey admin poking about reading my licence codes etc.

So would it be possible to use a htaccess which would take the password entered then hash it and then use that for the key variable? Thus not having any password stored on file.

Also to make sure that the htaccess password isnt sniffed, could you build SSL into this before the htaccess box pop's up?

Thanks
N4N01D

drew010

instead of using basic authentication for htaccess you can use digest authentication which will send their passwords as md5 hashes. see http://httpd.apache.org/docs/1.3/howto/auth.html
scroll to the section Digest Authentication.

With php you would only be able to get the password the user typed for an htaccess prompt if you had php installed as an apache module. if you do put your site on an ssl you can safely let them enter passwords and then use them as keys to decrypt database information.

N4N01D

sorry i forgot to add i cant use Digest as my host refuses to update php to 5.10 "for just one customer" so im stuck on 4.3.* isnt there any other way around this?

drew010

digest doesnt have to do with php. its apache. see if they have mod_auth_digest installed.

N4N01D

Oh, is there any easy way to find that out ?

drew010

either ask them or perhaps you have read permission of httpd.conf and you can look for LoadModule digest_auth_module mod_auth_digest.so

or ask them to install it, its very simple they just copy the so file into the libexec folder and then add two lines to httpd.conf and restart apache.

N4N01D

haha, as i dont have access to the httpd.conf i just emailed the hosting company and they eventually got back to me and this i quote was the response on asking about the Loadmodule digest_auth_module..... line being in the httpd.conf

"Dear XXXXXXX

This does not make any sense. Please do not post HTML code, just plain text thank you

Regards
XXXXXXX XXXXXX
Business Manager - Level 1"

N4N01D

It seems that they are also unwilling to add this feature, have you any other ideas on how i could get round this problem, i have spoken to the host and they say that i can have ssl enabled, also for the key for the AES can i use an md5 hash?

Weedpacket

It also sounds like they don't like HTML emails, and would prefer plain text ones (they're easier to automate processing for, and are less likely to be spam).

Does [man]apache_get_modules[/man] mention anything?

N4N01D

nope, they didnt know what loadmodule line was and thought it was html code in the email, hence the comment... however there is no digest line 🙁