Up Prev Next
From: "Ryan Russell" <Ryan dot Russell at sybase dot com>
Subject: Re: I need a simple encryption subroutine, to encrypt/decrypt a
Date: Feb 18 1999 6:21PM
If I'm following you correctly...
First off.. if you're using the POST method, the variables
don't show up in the URL, that's the GET method.
Second, if you're proposing to send an encrypted (actually,
looks more like a hash for what you're talking about) that
will allow the function to happen, then stealing the crypted
string is as good as having the cleartext password.
You're also passing passwords (or hashes which are just as good)
in an unencrypted HTTP session, which is subject to monitoring.
Use an SSL web server, use the POST method, and don't worry
about the fact that the password is in the form. I believe that most
web browsers (when working correctly) will not cache SSL posted
Where do the passwords come from to begin with? Are they unix
password from an NIS map, or DB passwords in a table? One thing
you can do is hash them on the client via some Java thing and send a hash.
If it's matched against a unix passwd file, you can replicate the crypt(3)
function. If it's DB passwords, you just have to have the same hash
both the client and server.
Pass the password in the clear the first time, and use a cookie (a
well designed cookie... a whole other discussion) to allow access
later. This does nothing to help sniffing, if you're
concered about that (you should be.)
If this is for an internal application rather than for a client, you
always have the option of consulting with one of your
internal security people, I'm sure they'd appreciate
you checking with them. (I'm your internal security
I have a form created in html which a password is input, this form will be
many people to access the application, I then need to use the POST method
which executes the main perl script diary application.
the problem is the password is passed as a variable in the query string and
this user would see the password on how leaving his desk leaves his
wide open as it will show in the browser. this password is the main
access the SQLSERVER database. the simplest method is to encript the
passed to the second perl script using "POST" method then when the diary is
regularly refreshed the password which will then be bookmarked will show
variable and the encripted password, when the variable is checked it can
decrypted and used to access the database
so all I need is a bit of perl to read the string, and convert to
then be able to unconvert when database connection is required.
I am not to sure how to manipulate a string in perl like you would do in C
ie newstr[i] = oldstr[i] + 'A' for instance