Hello
I would like to query the user table of the mysql database from my VB
application to check that a user's password entered in a text field on a
form corresponds to that users password in the mysql database. However, when
I retreive the password using an sql statement into a recordset, it is
encrypted. How can I decrypt it so I can make the comparison.
Ian 6 7520
>I would like to query the user table of the mysql database from my VB application to check that a user's password entered in a text field on a form corresponds to that users password in the mysql database. However, when I retreive the password using an sql statement into a recordset, it is encrypted. How can I decrypt it so I can make the comparison.
You DON'T. The encryption wouldn't be worth much if you could.
Try encrypting the password entered and see if the result matches
what's in the database.
Gordon L. Burditt
Ian Davies wrote: Hello I would like to query the user table of the mysql database from my VB application to check that a user's password entered in a text field on a form corresponds to that users password in the mysql database. However, when I retreive the password using an sql statement into a recordset, it is encrypted. How can I decrypt it so I can make the comparison.
We should never decrypt passwords stored in a database. Instead, we
should encrypt the string that a user enters, and then check if that
encrypted string matches the encrypted string that is in the database.
This way we never write code that can read a user's password from the
database. There is always a slim possibility that a bug in our code
might allow the wrong person to read that password. The best way to be
safe is never to write any code that can decrypt a password.
Password-encryption functions are normally one-way. That is, there is
no way to get the original string from the encrypted string. This is
preferable because one-way encryption is more secure, and for reasons
above, there's no need for code to decrypt the password.
Regards,
Bill K.
I thought maybe that was the case
I presume that using the PASSWORD() function would encrypt my string so I
could compare
I didnt realise that the encryption would be the same each time
My problen now is that the string input by the user is in my VB application
and VB doesnt recognise PASSWORD().
How can I get mysql to encrypt the string from withing VB?
Ian
"Gordon Burditt" <go***********@ burditt.org> wrote in message
news:11******** *****@corp.supe rnews.com... I would like to query the user table of the mysql database from my VB application to check that a user's password entered in a text field on a form corresponds to that users password in the mysql database. However,
whenI retreive the password using an sql statement into a recordset, it is encrypted. How can I decrypt it so I can make the comparison.
You DON'T. The encryption wouldn't be worth much if you could. Try encrypting the password entered and see if the result matches what's in the database.
Gordon L. Burditt
Ian Davies (ia********@vir gin.net) wrote:
: I thought maybe that was the case
: I presume that using the PASSWORD() function would encrypt my string so I
: could compare
: I didnt realise that the encryption would be the same each time
: My problen now is that the string input by the user is in my VB application
: and VB doesnt recognise PASSWORD().
: How can I get mysql to encrypt the string from withing VB?
by using password().
For example (not tested, syntax likely wrong)
select
user_name ,
users_encrypted _password,
password($claim ed_password) as claimed_passwor d
from
all_users
where
user_name = $the_user_name
VB runs the above query and gets back a result. Examine the values in the
result set to see if there is such a user, and then compare the columns
users_encrypted _password with claimed_passwor d to see if the password was
correct.
You can also get the encrypted value for use within VB using something
like
select password($claim ed_password);
as above, you run that just like you run any other query from within VB
and get back a result set containing the calculated value.
--
This programmer available for rent.
Ian Davies wrote: My problen now is that the string input by the user is in my VB application and VB doesnt recognise PASSWORD(). How can I get mysql to encrypt the string from withing VB?
SELECT PASSWORD("strin g");
You can also do this:
SELECT IF(PASSWORD("st ring") = encryptedPasswo rdField, 1, 0) AS
password_is_cor rect
FROM tableStoringPas swords;
By the way, you should be aware of issues related to using the
PASSWORD() function in MySQL. Read the entry about PASSWORD() on this
web page: http://dev.mysql.com/doc/refman/5.0/...functions.html
"Note: The PASSWORD() function is used by the authentication system in
MySQL Server; you should not use it in your own applications. For that
purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more
information about handling passwords and authentication securely in your
applications."
The recommendation against using MySQL's PASSWORD function for your
applications is that they can change the algorithm between versions of
MySQL (e.g. between 4.0 and 4.1 the encryption algorithm changed). That
could cause your application to break as you upgrade the MySQL software,
and the only solution would be to reset all your users' passwords, and
tell each user to go change their password.
I use MD5() when I need application-specific password encryption.
Regards,
Bill K. By the way, you should be aware of issues related to using the PASSWORD() function in MySQL. Read the entry about PASSWORD() on this web page: http://dev.mysql.com/doc/refman/5.0/...functions.html
"Note: The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your applications."
The recommendation against using MySQL's PASSWORD function for your applications is that they can change the algorithm between versions of MySQL (e.g. between 4.0 and 4.1 the encryption algorithm changed). That could cause your application to break as you upgrade the MySQL software, and the only solution would be to reset all your users' passwords, and tell each user to go change their password.
I use MD5() when I need application-specific password encryption.
Thanks Bill
re the above. I read this, but assumed that, as the mysql database
containing the user table encrypts the passwords in it using PASSWORD() and
I need to check my users input in VB against it I would therefore need to
use the same encryption on my string from VB in order for the comparing of
the two to work (or is that not the case?).
I thought about better encryption using the other functions and using my own
encrypted table of passwords and building my own security system into my app
but the extra work, and the fact that the data is not that sensitive (just
school kids test results) I thought I'd stick to what mysql supplies.
Ian
Again thanks all for the quick responses, will look into them tomorrow This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: sffan |
last post by:
I am new to database programming and was curious how others solve the
problem of storing encrypted in data in db table columns and then
subsequently searching for these records.
The particular problem that I am facing is in dealing with (privacy)
critical information like credit-card #s and SSNs or business critical
information like sales opportunity size or revenue in the database. The
requirement is that this data be stored encrypted...
|
by: Jill Elaine |
last post by:
I am building an Access 2002 frontend with linked tables to an
encrypted Paradox 7 database. When I first create these linked tables,
I'm asked for the password to the encrypted Paradox database, and the
linked tables are successfully created. I use the data from these
linked tables in several forms.
All works great until I close the Access frontend and open it again.
When I try to use the forms, I get an error message: "Could not...
|
by: Roland Riess |
last post by:
Hi NG,
I don't know if I'm just missing the forest through the trees, or if it
is really that complicated:
I want to save a password that is entered/changed through a text control
in a form. The control is bound to a dataset and the password shall be
stored as an encrypted text in the database.
I first tried to control the en- and decryption in the textbox's Format
|
by: robert |
last post by:
Hello,
I want to put (incrementally) changed/new files from a big file tree
"directly,compressed and password-only-encrypted" to a remote backup
server incrementally via FTP,SFTP or DAV.... At best within a closed
algorithm inside Python without extra shell tools.
(The method should work with any protocol which allows somehow read,
write & seek to a remote file.)
On the server and the transmission line there should never be...
|
by: Michael Sperlle |
last post by:
Is it possible? Bestcrypt can supposedly be set up on linux, but it seems
to need changes to the kernel before it can be installed, and I have no
intention of going through whatever hell that would cause.
If I could create a large file that could be encrypted, and maybe add
files to it by appending them and putting in some kind of delimiter
between files, maybe a homemade version of truecrypt could be constructed.
Any idea what it...
| |
by: Bernard Dhooghe |
last post by:
The information center writes:
"Encryption Algorithm: The internal encryption algorithm used is RC2
block cipher with padding, the 128-bit secret key is derived from the
password using a MD2 message digest.
"
and also explains how the length of the encrypted column can be
derived.
|
by: danishce |
last post by:
I want to generate 8 byte key using CBC MAC by applying encryption to whole message in vb.net.My code is:
//Main form Code
Imports System.Security.Cryptography
Dim plainText As String
Dim cipherText As String
Dim passPhrase As String
Dim saltValue As String
Dim hashAlgorithm As String
|
by: Shmuel |
last post by:
Hello,
Is it possible to give to mysql_connect an encrypted (md5 or sha1)
password?
If not is there a workaround?
I store passwords for users in database and don't want to use plain
text passwords.
Then I use that information to connect to the database. So every user
have his own database.
|
by: n8kindt |
last post by:
i'm trying to create a secure scenario where no one will be able to know our encrypted database passcode. BUT if they login to a form in another database successfully, it will open the encrypted database and systematically plug in the passcode thru vba (kind of like a user on a website logging into a secure SQL database i suppose). i may be going about this whole situation completely wrong but here is what i have for the code that i need to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |