a safe solution

Anon

Hi,

I have a MySQL-table that can be edited by a php-script via the usual browsers; the problem is to allow several people to edit only \"their\" line in the table, that is, there has to be a test of their code word. Can anybody tell me, if it´s quite safe to store the code words in a extra column in the table and to compare the words each time the edition is performed or if that´s a newbie (that means me) solution that can be hacked quickly?

Thanks for your help!

Anon

Don't store the password directly; this would enable anyone
who managed to get even read-only access to the database
to discover everyone's password. Instead, use mcrypt()
and store the hash. You then use mcrypt() on the incoming
password and compare that to the stored hash. Don't
forget to add a "salt" value to make a known-plaintext attack
a little harder to achieve. I.e. creating the hash to save to
the database:

  $salt = sprintf( "%04x", time() & 0xffff);
  $pw_hash = $salt . md5( $pw_plaintext) . $salt );

Then, to test ($pw_retrieved is the stored value from the database):

  $salt = substr($pw_retrieved,0,4);
  $pwvalue = $salt . md5( strtolower($pw_entered) . $salt );
  if ($pwvalue == $pw_retrieved)
  ...