Way to use password in query at login

[jeanyves]

In bwauthlib there is the following query (a similar one was in old BW)

$query = "SELECT id,Status,Username FROM members WHERE Username='" . $this->dao->escape($handle) . "' AND PassWord? = PASSWORD('".$this->dao->escape($password)."')";

the nasty effect if that if the Query is log because it is delay (it has happen yesterday), the password is recorded in plain text in the log

[jeanyves]

I have done a partila improvment

I now realize that these password should be md5() or similar, I don't find way to do a proper test "is the entered password corresponding to the one mysql PASSWORD() function will compute" without risking a query log.

I propose an improvment wich will reduce the risk of slow log recording the password in plain text

Please comment

[feuerdaemon]

The Passwords arn't stored crypted in the DB?

I thought the DB has only the crypted pwd. The SM- and PHPBB3-Forum use it like this:

Someone has transmitted the password 'test'. After you checked, that the transmitted string isn't any risk to use (spoof-free, code-free, etc. = it just means it's save to handle)- you encrypt it (in that case with md5() ) and hold it in the var (in the var is the md5 value for the string 'test' -> 81dc9bdb52d04dc20036dbd8313ed055). And with that, you can work -> Put it in the DB, compare it, etc.

Cause in the DB is only the md5 value for your password you can just compare the (crypted) var with the (also crypted) DB value. Then there is also no problem to log the (crypted) pwd somewhere. Sure, you should try to NOT log any (also crypted) pwd somewhere.

But while this is a problem with a querry to the DB - it seems to me that, we don't use a crypt. If we would do, a log would't be very risky.

[globetrotter_tt]

Is this ticket still valid?

[fake51]

Yes, it's still valid: BW still uses incredibly poor password encryption and still sends off the passwords to the database in the clear

I'll see what I can do about changing the password system.