Mysql Passwords

It depends on what exactly you're doing.

If you are using a table to store your own user names and passwords rather than MySQL's own user access system, then a common approach is to store the hash of the user's password rather than the literal password. There are several hashing functions available in MySQL (depending on the version you are using). You can get full details from the online MySQL manual here. The MD5() function should be available to you whatever the version of MySQL you are using is.

So, for example, if you have a table with two columns "user" and "password" then you can add a new user thus:

INSERT INTO LOGIN (user, password) VALUES ('penelope',MD5('blahblah'));

Then you can check a password passed in is correct in this way:

SELECT user FROM LOGIN WHERE user = 'penelope' AND password = MD5('somepassword');

If the password doesn't match you get no results, if it matches you get the record back with the user name.

To change the password you do this:

UPDATE LOGIN set password = MD5('newpassword') WHERE user = 'penelope' AND password = MD5('oldpassword');

The check for the old password is optional, especially if you don't know what it was

You don't have to use the MD5() function, but whatever one you use the key thing is to be consistent. If this is an existing system, check what hashing/encryption is used for validating the passwords and stick with that.

Also, you should be using an SSL link if you're passing the user and password values from a web form. You may want to look at hashing the password using JavaScript before submitting them over the internet if you can't use SSL. This should make no difference as long as the same hashing function is used when setting the password and then checking it later.

HTH.

Ciarán.