md5 for user password authentication?

Archived from the Xataface Users forum.

jstalin — Wed Dec 05, 2007 12:58 pm

I’ve enabled the user authentication feature, but I don’t want my users’ passwords stored in the mysql database as plaintext. Is there a way to enable md5 password storage for user authentication?

shannah — Wed Dec 05, 2007 1:41 pm

In the users table fields.ini file. If your password column is named ‘password’, you would have:

Code: Select all
[password]     encryption=md5

jstalin — Wed Dec 05, 2007 1:53 pm

That did it, thanks.

chapin — Mon Aug 25, 2008 2:35 am

shannah wrote:In the users table fields.ini file. If your password column is named ‘password’, you would have:

Code: Select all
[password]     encryption=md5

First, I want to say that Xataface is great! Thanks!

md5? Is that safe enough? Is it possible to use AES encryption?

AES_ENCRYPT() and AES_DECRYPT() “can be considered the most cryptographically secure encryption functions currently available in MySQL” according to the Mysql documentation.

Thanks in advance!

shannah — Mon Aug 25, 2008 7:56 am

Currently only md5, password, sha1, and encrypt are supported.

At your suggestion I have added aes_encrypt to my dev version to be in the next major release.

It is easy to add. In the Dataface/Serializer.php file, you’ll find a section:

Code: Select all
if ( isset($field['encryption']) ){          $app =& Dataface_Application::getInstance();          switch(strtolower($field['encryption'])){             case 'md5':                return 'MD5('.$value.')';             case 'password':                return 'PASSWORD('.$value.')';             case 'sha1':                return 'SHA1('.$value.')';             case 'encrypt':                return 'ENCRYPT('.$value.')';                          }       }

Just add another case for aes_entrypt as follows:

Code: Select all
if ( isset($field['encryption']) ){          $app =& Dataface_Application::getInstance();          switch(strtolower($field['encryption'])){             case 'md5':                return 'MD5('.$value.')';             case 'password':                return 'PASSWORD('.$value.')';             case 'sha1':                return 'SHA1('.$value.')';             case 'encrypt':                return 'ENCRYPT('.$value.')';             case 'aes_encrypt':                return 'aes_encrypt('.$value.',\''.addslashes($app->_conf['_auth']['aes_password']).'\')';                          }       }

Note then you would have in your fields.ini file:

Code: Select all
[password]     encryption=aes_encrypt

And you would need to specify a password in your conf.ini file:

Code: Select all
[_auth]     aes_password="My Secret Code"

-Steve

chapin — Mon Aug 25, 2008 8:23 am

shannah wrote:Currently only md5, password, sha1, and encrypt are supported.

At your suggestion I have added aes_encrypt to my dev version to be in the next major release.

It is easy to add. In the Dataface/Serializer.php file, you’ll find a section:

Code: Select all
if ( isset($field['encryption']) ){          $app =& Dataface_Application::getInstance();          switch(strtolower($field['encryption'])){             case 'md5':                return 'MD5('.$value.')';             case 'password':                return 'PASSWORD('.$value.')';             case 'sha1':                return 'SHA1('.$value.')';             case 'encrypt':                return 'ENCRYPT('.$value.')';                          }       }

Just add another case for aes_entrypt as follows:

Code: Select all
if ( isset($field['encryption']) ){          $app =& Dataface_Application::getInstance();          switch(strtolower($field['encryption'])){             case 'md5':                return 'MD5('.$value.')';             case 'password':                return 'PASSWORD('.$value.')';             case 'sha1':                return 'SHA1('.$value.')';             case 'encrypt':                return 'ENCRYPT('.$value.')';             case 'aes_encrypt':                return 'aes_encrypt('.$value.',\''.addslashes($app->_conf['_auth']['aes_password']).'\')';                          }       }

Note then you would have in your fields.ini file:

Code: Select all
[password]     encryption=aes_encrypt

And you would need to specify a password in your conf.ini file:

Code: Select all
[_auth]     aes_password="My Secret Code"

-Steve

Thank you very much Steve!!! I’ll will try this as soon as possible!

shannah — Mon Aug 25, 2008 8:27 am

I forgot to note that I also added the line:

Code: Select all
$app =& Dataface_Application::getInstance();

in the snippets above.

chapin — Mon Aug 25, 2008 1:24 pm

shannah wrote:I forgot to note that I also added the line:

Code: Select all
$app =& Dataface_Application::getInstance();

in the snippets above.

Where exactly shall I add that line?

Once again, Thank you!

shannah — Mon Aug 25, 2008 4:30 pm

It has already been added in the snippet above that I posted. It just won’t be in the source for your version of the Serializer.php file so I thought I would make a note of it…. (it is just before the switch statement).

-Steve