Re: MySQL obnoxious question

Re: MySQL obnoxious question

[Jose Celestino]

Words by Mário Gamito [Wed, Feb 20, 2008 at 12:35:26AM +0000]:
> Hi,
>
> Sorry for the little off-topic, but the vpoopmail list is kind of dead.
>

So is the diablo mailing list and I don't see any diablo nntp related
questions here.

> I'm running a qmail server with vpopmail with MySQL authentication.
>
> For obnoxious reasons, I'm running a web site in Windows/ASP.NET/C# that 
> once a user registers, it inserts in the MySQL qmail server the username, 
> password, etc.
>
> It's in the password that the problem lies.
> I need to hash it just before or after the MySQL INSERT statement.
> For that, I have to run a PHP shell script that follows my signature.
>
> Problem is MySQL doesn't run external commands.
>

All that does is generate a random md5 salt and do an md5 crypt of the
password. Why would you want to run that on an external command? I
guess you can easily do it on c#.

>
> <?php
>
> function randltr() {
>  $retval = 'a';
>  $rand = rand() % 64;
>  if ($rand < 26) $retval = $rand + 'a';
>  if ($rand > 25) $retval = $rand - 26 + 'A';
>  if ($rand > 51) $retval = $rand - 52 + '0';
>  if ($rand == 62) $retval = ';';
>  if ($rand == 63) $retval = '.';
>  return($retval);
> }
>
> function mkpasswd3(&$clearpass, &$crypted) {
>  srand ((double)microtime()*1000000);
>
>  $salt = '$1$';
>  for ($i = 0; $i < 5; $i++) $salt .= randltr();
>  $salt .= '0';
>  $crypted = crypt($clearpass, $salt);
>  if (strlen($crypted) > 0) return(true);
>  return(false);
> }
>
> $clearpass = 'yeshua';
> $crypted = '';
>
> if (mkpasswd3($clearpass, $crypted))
>  printf("%s -> %s\n", $clearpass, $crypted);
> else
> echo("Ohoh");
> -

-- 
Jose Celestino
----------------------------------------------------------------
http://www.msversus.org/     ; http://techp.org/petition/show/1
http://www.vinc17.org/noswpat.en.html
----------------------------------------------------------------
"If you would have your slaves remain docile, teach them hymns."
    -- Ed Weathers ("The Empty Box")
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

[Jose Celestino]

Respondo outra vez quando tiver recebido este e-mail. Amanha pelas
00:35.

Words by Mário Gamito [Wed, Feb 20, 2008 at 12:35:26AM +0000]:
> Hi,
>
> Sorry for the little off-topic, but the vpoopmail list is kind of dead.
>

-- 
Jose Celestino
----------------------------------------------------------------
http://www.msversus.org/     ; http://techp.org/petition/show/1
http://www.vinc17.org/noswpat.en.html
----------------------------------------------------------------
"If you would have your slaves remain docile, teach them hymns."
    -- Ed Weathers ("The Empty Box")
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

[Adam T. Bowen]

Hi,

Mário Gamito wrote:
> For obnoxious reasons, I'm running a web site in Windows/ASP.NET/C# that 
> once a user registers, it inserts in the MySQL qmail server the 
> username, password, etc.
> 
> It's in the password that the problem lies.
> I need to hash it just before or after the MySQL INSERT statement.
> For that, I have to run a PHP shell script that follows my signature.

There is an encrypt function in MySQL:

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html#function_encrypt

but it is only available on systems which have a system crypt call (not 
Windows according to the docs).  However if your MySQL database is 
running on Linux you should be able to just change the insert statement 
in the C# code to something like:

insert into user_details values("username", encrypt("password"), ...);

and not bother with the php script.  If the database is on Windows, then 
there are other encrytion functions available.  There is a User Comment 
at the bottom of the above web page (search for "Philip Mather") which 
discusses using a trigger to achieve something that sounds similar to 
what you want.

There are lots of other options, of course, but my first route would 
always be to modify existing code.  You might want to be careful, 
however, that you aren't breaking any license agreement before going 
ahead and modifying anything.  If the code is unavailable or protected 
then you can just put a trigger on the user_details table in the 
database and encrypt the password there.

Hope some of that helps.

Cheers

Adam
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

[Adam T. Bowen]

Jose Celestino wrote:
>> Problem is MySQL doesn't run external commands.
>>
> 
> All that does is generate a random md5 salt and do an md5 crypt of the
> password. Why would you want to run that on an external command? I
> guess you can easily do it on c#.

If you are going to go this route, you might want to take a look at this 
port of the crypt function:

   http://www.codeproject.com/KB/cs/unixcrypt.aspx

Cheers

Adam

MySQL obnoxious question

[Mário Gamito]

Hi,

Sorry for the little off-topic, but the vpoopmail list is kind of dead.

I'm running a qmail server with vpopmail with MySQL authentication.

For obnoxious reasons, I'm running a web site in Windows/ASP.NET/C# that 
once a user registers, it inserts in the MySQL qmail server the 
username, password, etc.

It's in the password that the problem lies.
I need to hash it just before or after the MySQL INSERT statement.
For that, I have to run a PHP shell script that follows my signature.

Problem is MySQL doesn't run external commands.

Any ideas ?

Any help would be appreciated.

Warm Regards,
Mário Gamito

-- 

<?php

function randltr() {
  $retval = 'a';
  $rand = rand() % 64;
  if ($rand < 26) $retval = $rand + 'a';
  if ($rand > 25) $retval = $rand - 26 + 'A';
  if ($rand > 51) $retval = $rand - 52 + '0';
  if ($rand == 62) $retval = ';';
  if ($rand == 63) $retval = '.';
  return($retval);
}

function mkpasswd3(&$clearpass, &$crypted) {
  srand ((double)microtime()*1000000);

  $salt = '$1$';
  for ($i = 0; $i < 5; $i++) $salt .= randltr();
  $salt .= '0';
  $crypted = crypt($clearpass, $salt);
  if (strlen($crypted) > 0) return(true);
  return(false);
}

$clearpass = 'yeshua';
$crypted = '';

if (mkpasswd3($clearpass, $crypted))
  printf("%s -> %s\n", $clearpass, $crypted);
else
echo("Ohoh");
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: MySQL obnoxious question

[Atishay]

On Feb 20, 2008 3:52 AM, Adam T. Bowen <adamb@agitate.org.uk> wrote:
>
> Jose Celestino wrote:
> >> Problem is MySQL doesn't run external commands.
> >>
> >
> > All that does is generate a random md5 salt and do an md5 crypt of the
> > password. Why would you want to run that on an external command? I
> > guess you can easily do it on c#.

This one should help, mysql allows password hashing
 http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html

>
> If you are going to go this route, you might want to take a look at this
> port of the crypt function:
>
>   http://www.codeproject.com/KB/cs/unixcrypt.aspx
>
> Cheers
>
> Adam
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>