PERL CRYPT() Help

I use the following subroutine to encrypt a password, then another to store it in a database. I have not been able to figure out how to handle the login process for the user. i.e. the user places username and password in a form and submits. How can my perl script check the password for validity?

sub  encrypt_pass
   {
      my $str=$FORM{new_password};
      my $str= shift @_;
      my @salt_chars         = ('a'..'z','A'..'Z','0'..'9');
      my $salt               = $salt_chars[rand(63)] . $salt_chars[rand(63)];
      return crypt($str, $salt);
   }
LVL 1
Bob-VillaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arantiusCommented:
Hi Bob-Villa,
The basic secure process for handling password logins is this:
Retrieve plain text password from user, encrypt it, store in the database.
On future logins, retrieve encrypted password from database.  Encrypt supplied password, then check these two values.  If they are the same, the user provided the correct password.  And, the plaintext password is never saved, so if the database is compromised, your users passwords are safe.

I hope this is helpful!
0
gruntarCommented:
If youre using MySQL then you should encrypt password on a database level...

INSERT INTO tablename VALUES('var 1','var 2', PASSWORD('var3') , 'var 4');

then when auth. user you query like this

SELECT * FROM tablename WHERE user='user' AND pass=PASSWORD('pas');

If database retun row, then user is valid.

Cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bob-VillaAuthor Commented:
Which method is better as far as encryption goes?
perl crypt() the password then insert the crypted password into mysql field or strictly using mysql password function?
0
gruntarCommented:
I would say database, less code and confusion. :)
Database encryption is "one way", so quite impossible to decrypt. And you don't need additional encryption.

Cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.