On 04/08/2011 08:14 AM, Ansgar Burchardt wrote: > Hi Thomas, > > I noticed you prepared a patch[1] using MySQL's PASSWORD() function. > Please note that this function should *not* be used by applications > besides MySQL itself[2] in addition to not salting the hash. The crypt > function included in PHP itself[3] with salting and a modern hash like > SHA-512 seems to be a better choice. > > Regards, > Ansgar > > [1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614304#56> > [2] > <http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password> > [3] <http://php.net/manual/en/function.crypt.php>
Hi, Thanks for letting me know before it's too late. Indeed, I didn't know. Now, the issue is that in few places, I will need to use the encryption from the command line. In such a case, using the crypt() function of PHP is not really convenient (even though I can use a php cli, I'd rather avoid if possible). So, do you think it's acceptable to use the SHA2() function of MySQL instead, which would be a lot more strait forward to use for me? Somebody else suggested the haval160 algo of PHP. Do you as well think it's a good idea? That would also force me to use PHP all the time... Please let me know, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
