Page 1 of 1

md5 for user password authentication?

PostPosted: Wed Dec 05, 2007 12:58 pm
by jstalin
I've enabled the user authentication feature, but I don't want my users' passwords stored in the mysql database as plaintext. Is there a way to enable md5 password storage for user authentication?

PostPosted: Wed Dec 05, 2007 1:41 pm
by shannah
In the users table fields.ini file. If your password column is named 'password', you would have:

Code: Select all
[password]
    encryption=md5

PostPosted: Wed Dec 05, 2007 1:53 pm
by jstalin
That did it, thanks.

PostPosted: Mon Aug 25, 2008 2:35 am
by chapin
shannah wrote:In the users table fields.ini file. If your password column is named 'password', you would have:

Code: Select all
[password]
    encryption=md5



First, I want to say that Xataface is great! Thanks!

md5? Is that safe enough? Is it possible to use AES encryption?
AES_ENCRYPT() and AES_DECRYPT() "can be considered the most cryptographically secure encryption functions currently available in MySQL" according to the Mysql documentation.

Thanks in advance!

PostPosted: Mon Aug 25, 2008 7:56 am
by shannah
Currently only md5, password, sha1, and encrypt are supported.

At your suggestion I have added aes_encrypt to my dev version to be in the next major release.

It is easy to add. In the Dataface/Serializer.php file, you'll find a section:
Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
               
         }
      }


Just add another case for aes_entrypt as follows:

Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
            case 'aes_encrypt':
               return 'aes_encrypt('.$value.',\''.addslashes($app->_conf['_auth']['aes_password']).'\')';
               
         }
      }


Note then you would have in your fields.ini file:
Code: Select all
[password]
    encryption=aes_encrypt


And you would need to specify a password in your conf.ini file:

Code: Select all
[_auth]
    aes_password="My Secret Code"


-Steve

PostPosted: Mon Aug 25, 2008 8:23 am
by chapin
shannah wrote:Currently only md5, password, sha1, and encrypt are supported.

At your suggestion I have added aes_encrypt to my dev version to be in the next major release.

It is easy to add. In the Dataface/Serializer.php file, you'll find a section:
Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
               
         }
      }


Just add another case for aes_entrypt as follows:

Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
            case 'aes_encrypt':
               return 'aes_encrypt('.$value.',\''.addslashes($app->_conf['_auth']['aes_password']).'\')';
               
         }
      }


Note then you would have in your fields.ini file:
Code: Select all
[password]
    encryption=aes_encrypt


And you would need to specify a password in your conf.ini file:

Code: Select all
[_auth]
    aes_password="My Secret Code"


-Steve


Thank you very much Steve!!! I'll will try this as soon as possible!

PostPosted: Mon Aug 25, 2008 8:27 am
by shannah
I forgot to note that I also added the line:
Code: Select all
$app =& Dataface_Application::getInstance();


in the snippets above.

PostPosted: Mon Aug 25, 2008 1:24 pm
by chapin
shannah wrote:I forgot to note that I also added the line:
Code: Select all
$app =& Dataface_Application::getInstance();


in the snippets above.


Where exactly shall I add that line?

Once again, Thank you!

PostPosted: Mon Aug 25, 2008 4:30 pm
by shannah
It has already been added in the snippet above that I posted. It just won't be in the source for your version of the Serializer.php file so I thought I would make a note of it.... (it is just before the switch statement).

-Steve