mailing a encrypted password

Hi.
I was having trouble emailing an encrypted password. The password is stored with the password option so it gets encrypted. I then lookup the password and email it using php3, but the password shows as encrypted. How do you decrypt it? I tried playing with the decrypt command but with no luck.
Any help is appreciated.
Tim

Are you using MySQL's password() function to encrypt the password? If so, I don't believe you'll be able to decrypt it for obvious security reasons. Try using PHP's encrypt() function before storing it in the database and use the complementary PHP decrypt() function when pulling it out of the database.

Originally posted by Kyuzo:
[B]Are you using MySQL's password() function to encrypt the password? If so, I don't believe you'll be able to decrypt it for obvious security reasons. Try using PHP's encrypt() function before storing it in the database and use the complementary PHP decrypt() function when pulling it out of the database.[/B

What is the purpose of the MySQL's password function if you can not ever decrypt it?

From the MySQL manual...

PASSWORD(str)
Calculates a password string from the plaintext password str. This is the function that is used for encrypting MySQL
passwords for storage in the Password column of the user grant table.

mysql> select PASSWORD('badpwd');
-> '7f84554057dd964b'

PASSWORD() encryption is non-reversible. PASSWORD() does not perform password encryption in the same way that
Unix passwords are encrypted. You should not assume that if your Unix password and your MySQL password are the
same, PASSWORD() will result in the same encrypted value as is stored in the Unix password file. See ENCRYPT().

If you could decrypt this, you might be able to decrypt user passwords from the mysql db.

Thanks, that makes a lot of sense.

I am using trying to write a php file that will email the user their password if they forgot it. It goes along with Neoboard message board. I looked and they encrypt it like this:
$userpassword = crypt($userpassword,'.v');

I tried to decript it like this:
$userpassword2 = (decrypt($userpassword,'.v'));

And got this error:

Fatal error: Call to unsupported or undefined function decrypt() in /export/home/dmiller/public_html/neoboard/forgot2.php3 on line 54

Any suggestions?
Thanks again

crypt() uses a one-way algorithm that can't be decrypted anyway, so it wouldn't have mattered. I checked a PHP book that I had and it spoke of encrypt() and decrypt() being complementary pairs but I did a small test and got the same error you did "unsupported function...blah blah.."

Another alternative - use MySQL's encode() and decode() functions for storing and retrieving, respectively. The key is that the column must be a blob type for holding binary data which is what is returned from the encode function.

Quick example.....

one column table with pass as blob type

%insert into table values(encode('captain', 'kangaroo')); // captain is actual password and kangaroo is the password string

%select decode(pass, 'kangaroo') from table

hope it helps

Kyuzo

In continuation to this interesting discussion i would like to know whether it is possible to encrypt a string on the client side using JavaScript and decrypt it on the server side using PHP.

Pls Help...

Thanks in advance..



------------------
Anish Modi
Infotech World
India

<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by tim miller:
<snip>

I am using trying to write a php file that will email the user their password if they forgot it. It goes along with Neoboard message board. <snip>
[/quote]

Tim,

Typically, unless you have a reason to access the user's account AS THE USER, it is not really desirable for you to store the password at all. When a user forgets his or her password, I typically generate a brand new one for them and reset their old password password using an account with appropriate grants. You will find this to be generally more secure and carry lower overhead.

Best regards,

Jim

<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>Originally posted by amodi:
In continuation to this interesting discussion i would like to know whether it is possible to encrypt a string on the client side using JavaScript and decrypt it on the server side using PHP.

Pls Help...

Thanks in advance..


[/quote]

What are you using to encrypt on the Java side? If you are using JCE 1.2, it shares encryption methods with the m_crypt library in php. Haven't tried what you're doing, but if the methods are implemented correctly and you're using the same keys, you should not have a problem.

Additionally, I believe there are PGP encryption routines available for both PHP and java. You can send your public key for encryption and unencrypt using a private key which you control. This may be a good alternative for you.