The first is that I split the password in half. The first half of the password is in the PHP file and second half in the MySQL program. I also added an addNew directive. That way I could search for email addresses without creating a new address:
CREATE FUNCTION getEmailId(str VARCHAR(255), ipwd CHAR(4), addNew CHAR(1))
The line that does the encryption is now:
SET encrypted = AES_Encrypt(Lower(str),Concat(ipwd,'word'));
So I call the function with "SELECT getEmailId('firstname.lastname@example.org','pass')". The villain would have to hack both my PHP program and my SQL Database to figure out that the pass word is "password"!
If I wanted even better security. I could double encrypt the password. Splitting the security token between the PHP code and a MYSQL procedure adds a layer of obfuscation.
BTW, I could have chosen to double encrypt the password, but Concat is faster.
Post a Comment