PHP Encryption

[smyn31337]

I am using php to produce an online game at http://www.ageofcaves.com/ and i need a way of encrypting the users password within the URL. Can somebody outline how i would go about this?

Cheers,

Bingham

[jethro]

Try using the crypt() function. I'm new to PHP as well, but I think it goes crypt(string,salt). The cool thing about it, is that it is altered-DES encryption (aka. Unix encryption)

[netcrash]

how can he or me ;-) check if the passwd is valid ...
Is there any way of doing it ?!
I heard about a function of name salt() but i did not find any reference to it in php.net or phpbuilder.com

[erikjacobsen]

Depends very much on what level of security you want to accomplish.

A simple way is to put it through md5() - this produces 32 randomly looking
characters. When you read this off the URL, you can take the password in your
DB, md5() it once more, and compare the two.

One problem is that this md5() value never changes, so if anyone intercepts it,
they may be able to use it for some bad purpose.

Actually I'm wondering why you need the password on the URL. Can't you just
use ordinary session handling, just like any other "login script".

If you really need it, we must add some randomness to the md5() value. Try telling
us more details of what you want done.

[jethro]

Ugh, old old old old post.

erikjacobsen > That was his first and last post so I doubt he's going to see your reply

[slarty]

One problem is that this md5() value never changes, so if anyone intercepts it,
they may be able to use it for some bad purpose.

How is this different from if it changes?

If someone can intercept the value, they can impersonate the user. If they're quick enough, they can get it even if it changes. It makes no difference in principle.

Use SSL and it is harder to intercept either way

[erikjacobsen]

In the short run you can add a check for a cookie, or check for the same IP-number.

But who knows what smyn31337 actually wants to use it for?