tags:

views:

205

answers:

2
+1  Q: 

Connect to MySQL with hashed password?

Hi,

I was wondering (and used Google with no clear result) if there is any way to connect to a MySQL database with PHP using a hashed password. Say I have the following:

Password (plain): 'foobar'
Password (sha1): '8843d7f92416211de9ebb963ff4ce28125932878'

Now I would like to connect to MySQL like this (using the mysql_* function as example, I'm using PDO though):

$db_link = mysql_connect ( 'localhost', 'user', '8843d7f92416211de9ebb963ff4ce28125932878' );

I this possible? Have anyone done this before?

+5  A: 

Then the "hash" would be the password. What would be the benefit?

VolkerK  2009-07-04 19:54:33
So someone, even if they get the plain text connection data, wouldn't know the user's password. Which would only matter if you use the same password on everything.
colithium  2009-07-04 20:01:46
But since you as the cautious developer/admin are already concerned about this you wouldn't use this password also everywhere else ;-) And you have placed it somewhere not accessible through your webserver.
VolkerK  2009-07-04 21:06:59
The benefit would be privacy. I'm developing an application which stores database connection values (in a 'master' database) for using the application.
Stefan  2009-07-05 10:47:30
I don't see the advantage. Let's assume MySQL has such a ...connect_with_passwordhash() function. I somehow get access to your master database and steal all your password hashes. Now, can't I simply feed them the to ...connect_with_passwordhash() like your script does?
VolkerK  2009-07-05 11:23:22
That is true, though when it's THEORICALLY impossible to access the master MySQL database, it gives a user more privacy storing a password hashed. WHEN someone gets access to the master database, what's the point of stealing the password? All other databases (with other users and passwords) also run on the same server, why not copy all stuff immediatly?It's just a privacy issue.. I know it's possible to get access with the plain password OR hash.
Stefan  2009-07-05 13:49:11
But you don't need another built-in mysql function for that. Build an account management system (/a web interface) that takes the plain password and then stores the hash in the "master database" and the other databases (as the password). That would also be a good opportunity to add some kind of password salt.
VolkerK  2009-07-05 14:21:35
A: 

The short answer is no.

But, just wondering... what is your real concern? Someone hacking into your server and discovering your password?

Hans  2009-07-05 22:32:06
Just privacy, would you like it when you (for example) sign up on a website without you're password being encrypted in the database?
Stefan  2009-07-09 17:17:03
The reason you should hash (not encryption) peoples passwords is not to protect their data, but to prevent hackers, who already have breached your security and have access to everything, from being able to take you login details and try to reuse it to access your details on other sites, such as email.Just be wary of when you are walking the line between obfuscation and security.
Hans  2009-07-31 16:14:29

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL