Set password in mysql

Anon

Dear all,

I have written a php webpage to update the member's login and password. Owing to the security consideration, it is not safe if it only write the code like this

$mysql="insert into member (login,password)values('$login','$password')";

Please give us rather safe method.

If the password is encrypted, how is it written when the password is inserted into the mysql database and how to take out to compare as the memeber login in.

Thanks
Simon

mamil

Instead of keeping password as an 'open' text it's safer to keep password e.g. as md5 hash:
$mysql="insert into member (login,password)values('$login',md5('$password'))";

Later, when member fills fields 'login' and 'password' you can compare entered password with correspoding one in database by:
$mysql = "SELECT count(login) FROM userlist WHERE login='$login' AND password=md5('$password') "
If you get non-zero result it means that password is valid.

Hope that helps,
Mamil

[deleted]

That takes care of the database, preventing someone to retrieve the password from it. However if you need secure transfer, you'll need to transfer the password using SSL from the form to your script.

Anon

Dear all,

Thanks for your advice, what is the procedure if using SSL from the form to your script.

Sincerely your,
Simon

fabrice wrote:

That takes care of the database, preventing someone to retrieve the password from it. However if you need secure transfer, you'll need to transfer the password using SSL from the form to your script.

matt1

That's another issue! You need a certificate to do SSL transfers (yes you have to pay to get a certificate). Check Verisign.com for more info.