I’ve always hashed passwords in php (or whatever) before inserting it into the database. Today I discovered that mysql 5.5 has hashing built in, so I could do something like this:
+-----------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------------+--------------+------+-----+---------+----------------+
| user_id | int(11) | NO | PRI | NULL | auto_increment |
| user_uname | varchar(63) | YES | UNI | NULL | |
| user_password | binary(32) | YES | | NULL | |
+-----------------+--------------+------+-----+---------+----------------+
--set password
UPDATE users SET user_password=UNHEX(SHA2(CONCAT('username','salt'), 256))\
WHERE user_id = 1;
-- validate password
SELECT (SELECT user_password FROM users WHERE user_id=1) = \
SHA2(CONCAT('username','salt'), 256);
Is there a reason this might be a bad idea? (I am not a mysql expert by any means)
That isn’t hashing a password; but if it were (if you were passing a plaintext password there)…
The database connection protocol generally is not encrypted. One reason to not be using this functionality is that you are sending the password in plaintext over the wire. If someone has control of a router along the path between your webserver and the database, they could intercept this data.
Because of this you would be introducing a weakness in the security of your system.