0

I am using DES_ENCRYPT method to store password to MySQL. This is working, but when I retrieve by DES_DECRYPT I get the HTML character references for certain symbols. For example I stored & by encrypting, but while decrypting I get &. How to handle this so that I only get & after decryption and not & If there is any other better direct method i can use that but in either case I need the real password stored.

Joachim Sauer
  • 302,674
  • 57
  • 556
  • 614
user850234
  • 3,373
  • 15
  • 49
  • 83
  • 3
    1.) WHY DO YOU STORE ENCRYPTED PASSWORDS? DON'T DO THAT! 2.) I'm *pretty* sure that those functions *don't* do anything with HTML entities, that problem must be at some other point. – Joachim Sauer Jan 22 '13 at 14:25
  • See also: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords or http://stackoverflow.com/questions/287517/encrypting-hashing-plain-text-passwords-in-database – feeela Jan 22 '13 at 14:30
  • You probably are HTML encoding the password when printing it, but like @Joachim says it is not a problem with those function. And like Joachim says, never store encrypted passwords, the passwords must be stored in a way that nobody (neither you) can't decrypt them. – artberri Jan 22 '13 at 14:32
  • I did the following query `insert into users (emailid,password) values ('abc@gmail.com', DES_ENCRYPT('ad2*(&8ev'))` which stores the password as `€o'ù…G9xo9IuÑf` and when i make the following query `SELECT DES_DECRYPT(password) FROM 'users'` i get `ad2*(&8ev` which is not same as the original one which is encrypted. – user850234 Jan 22 '13 at 14:38
  • I need this for running a cron job which requires password for authentication – user850234 Jan 22 '13 at 14:39
  • `SELECT DES_DECRYPT(DES_ENCRYPT('ad2*(&8ev'))` this returns `ad2*(&8ev`, so it kinda gets demonstrated that the problem must be in another place, as @JoachimSauer and @artberri pointed. – Carlos Campderrós Jan 22 '13 at 15:04
  • @CarlosCampderrós I am using `lampp` in linux system. I again ran the same query you wrote in `phpmyadmin` but it gives me `ad2*(&8ev`. Any idea where might be the problem? – user850234 Jan 22 '13 at 15:10
  • `phpmyadmin` is probably html-encoding the html entities before showing them. If you look at the source code, the `&` appears as `&`, but this is done to prevent XSS attacks. If you are somehow parsing the html phpmyadmin is outputting (why the hell would you do that??), you need to call an html decoding function like the proposed in http://stackoverflow.com/questions/994331/java-how-to-decode-html-character-entities-in-java-like-httputility-htmldecode – Carlos Campderrós Jan 22 '13 at 15:14

1 Answers1

0

As @Carlos said phpmyadmin is probably html-encoding the html entities before showing is true. This is true. There is no problem with the function. When i decrypt from outside phpmyadmin the password is decrypted properly. I made the mistake earlier i tried to directly do it from the admin panel and now i am running it from the script outside the admin panel.

user850234
  • 3,373
  • 15
  • 49
  • 83