NYCPHP Meetup

[Aaron Fischer]

Hi all,

I'm working up a little application that will require password 
authentication to gain entry into the site.  The login page will query 
the username/password information that is stored in a MySQL table.  I 
plan on using sessions to enable the authorized user to travel around 
the site and also to prevent an unauthorized user from gaining access 
to the site.

My main questions revolves around encryption.  The sources that I have 
been referencing advocate for encrypting the password during the 
authentication process.  However, I've been frustrated by how briefly 
this topic is passed over in my books.  The little application that I 
am working on now only has fairly low level security needs and 
encryption may be overkill, but I have another project coming down the 
line where the security needs will be greater, so I might as well get 
started learning this stuff now!  Like, one question I have is, why 
encrypt?  What am I preventing from happening?

In general I am interested in what methods of securing an application 
folks recommend.  I'd like to read up about general theories on 
protection and types of misuse/attacks as well as learn about specific 
methods of protection.  I'd also be interested in hearing references 
for good books that deal with security (shameless plugs are welcome).

The two methods I have seen recommended so far are:

1.  MySQL encryption via "password" function:
A preexisting script I inherited uses this method where the form 
submission is encrypted in the SQL query statement.
	"select * from tablename where name = '$_POST[name] and pass = 
password('$_POST['password'])";
So, the password is encrypted using MySQL's password encryption and is 
compared to the encrypted version stored in the table.  However, when I 
read the MySQL documentation, I came across these lines:
	"Note: The PASSWORD() function is used by the authentication system in 
MySQL Server, you should NOT use it in your own applications. For that 
purpose, use MD5() or SHA1() instead. Also see RFC-2195 for more 
information about handling passwords and authentication securely in 
your application."
So, it seems that this method is a no-no.

2.  Encrypt using php, which can use the available encryption methods 
which are available on the server operating system.  In the book that 
recommends using crypt() my issue is that it doesn't explain how it is 
working or what's going on behind the scenes and I haven't been able to 
find good documentation online that will help me either.  The crypt() 
code line in the book is:
	"if ( (crypt($password, $result[password])) == $result[password]) {  
// start session

I'd appreciate any feedback on the afore-mentioned methods, as well as 
book or online resource references.

Cheers,

-Aaron