md5 for user password authentication?

A place for users and developers of the Xataface to discuss and receive support.

md5 for user password authentication?

Postby jstalin » Wed Dec 05, 2007 12:58 pm

I've enabled the user authentication feature, but I don't want my users' passwords stored in the mysql database as plaintext. Is there a way to enable md5 password storage for user authentication?
jstalin
 
Posts: 7
Joined: Wed Dec 05, 2007 12:55 pm

Postby shannah » Wed Dec 05, 2007 1:41 pm

In the users table fields.ini file. If your password column is named 'password', you would have:

Code: Select all
[password]
    encryption=md5
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby jstalin » Wed Dec 05, 2007 1:53 pm

That did it, thanks.
jstalin
 
Posts: 7
Joined: Wed Dec 05, 2007 12:55 pm

Postby chapin » Mon Aug 25, 2008 2:35 am

shannah wrote:In the users table fields.ini file. If your password column is named 'password', you would have:

Code: Select all
[password]
    encryption=md5



First, I want to say that Xataface is great! Thanks!

md5? Is that safe enough? Is it possible to use AES encryption?
AES_ENCRYPT() and AES_DECRYPT() "can be considered the most cryptographically secure encryption functions currently available in MySQL" according to the Mysql documentation.

Thanks in advance!
chapin
 
Posts: 12
Joined: Mon Aug 25, 2008 2:18 am

Postby shannah » Mon Aug 25, 2008 7:56 am

Currently only md5, password, sha1, and encrypt are supported.

At your suggestion I have added aes_encrypt to my dev version to be in the next major release.

It is easy to add. In the Dataface/Serializer.php file, you'll find a section:
Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
               
         }
      }


Just add another case for aes_entrypt as follows:

Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
            case 'aes_encrypt':
               return 'aes_encrypt('.$value.',\''.addslashes($app->_conf['_auth']['aes_password']).'\')';
               
         }
      }


Note then you would have in your fields.ini file:
Code: Select all
[password]
    encryption=aes_encrypt


And you would need to specify a password in your conf.ini file:

Code: Select all
[_auth]
    aes_password="My Secret Code"


-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby chapin » Mon Aug 25, 2008 8:23 am

shannah wrote:Currently only md5, password, sha1, and encrypt are supported.

At your suggestion I have added aes_encrypt to my dev version to be in the next major release.

It is easy to add. In the Dataface/Serializer.php file, you'll find a section:
Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
               
         }
      }


Just add another case for aes_entrypt as follows:

Code: Select all
if ( isset($field['encryption']) ){
         $app =& Dataface_Application::getInstance();
         switch(strtolower($field['encryption'])){
            case 'md5':
               return 'MD5('.$value.')';
            case 'password':
               return 'PASSWORD('.$value.')';
            case 'sha1':
               return 'SHA1('.$value.')';
            case 'encrypt':
               return 'ENCRYPT('.$value.')';
            case 'aes_encrypt':
               return 'aes_encrypt('.$value.',\''.addslashes($app->_conf['_auth']['aes_password']).'\')';
               
         }
      }


Note then you would have in your fields.ini file:
Code: Select all
[password]
    encryption=aes_encrypt


And you would need to specify a password in your conf.ini file:

Code: Select all
[_auth]
    aes_password="My Secret Code"


-Steve


Thank you very much Steve!!! I'll will try this as soon as possible!
chapin
 
Posts: 12
Joined: Mon Aug 25, 2008 2:18 am

Postby shannah » Mon Aug 25, 2008 8:27 am

I forgot to note that I also added the line:
Code: Select all
$app =& Dataface_Application::getInstance();


in the snippets above.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby chapin » Mon Aug 25, 2008 1:24 pm

shannah wrote:I forgot to note that I also added the line:
Code: Select all
$app =& Dataface_Application::getInstance();


in the snippets above.


Where exactly shall I add that line?

Once again, Thank you!
chapin
 
Posts: 12
Joined: Mon Aug 25, 2008 2:18 am

Postby shannah » Mon Aug 25, 2008 4:30 pm

It has already been added in the snippet above that I posted. It just won't be in the source for your version of the Serializer.php file so I thought I would make a note of it.... (it is just before the switch statement).

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 27 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved