views:

2931

answers:

3

I know that php has md5(), sha1(), and the hash() functions, but I want to create a hash using the MySQL PASSWORD() function. So far, the only way I can think of is to just query the server, but I want a function (preferably in php or Perl) that will do the same thing without querying MySQL at all.

For example:

MySQL hash -> 464bb2cb3cf18b66

MySQL5 hash -> *01D01F5CA7CA8BA771E03F4AC55EC73C11EFA229

Thanks!

+4  A: 

Why do you want to use mysql password() function? Even the Mysql documentation advises against this:

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html#function_password

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications

You can use md5() for example, wich is present in almost every programming language, php and perl included.

Davide Gualano
MD5 has been broken. So has SHA1. NIST recommends using a SHA-2 family function such as SHA224, SHA256, SHA384 or SHA512. http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html
jakber
The thread starter just wanted to create a hash, and did not say he would use it for storing passwords, so I didn't mind about the strength of the md5 algorithm.
Davide Gualano
Why do you care what he wants the function for? He didn't say he was using it in an application, and specifically stated he didn't want to use MD5.
Keith Palmer
+8  A: 

If you are interested in the algorithm of this function, download the source code and see the file sql/password.c, or check this implementation.

CMS
I don't know why you haven't been up-voted more, you're the only one in the thread who actually answered the guys question... go you!
Keith Palmer
Indeed. I too came here looking for the actual algorithm. It's not in the MySQL documentation. Thanks CMS.
Omniwombat
+4  A: 

I originally stumbled across this question in my own search for a PHP implementation of the two MySQL password hashing functions. I was unable to find any implementations, so I adapted my own from the MySQL source code (sql/password.c). The following are tested and working in PHP 5.2:

// The following is free for any use provided credit is given where due.
// This code comes with NO WARRANTY of any kind, including any implied warranty.

/**
 * MySQL "OLD_PASSWORD()" AKA MySQL323 HASH FUNCTION
 * This is the password hashing function used in MySQL prior to version 4.1.1
 * By Rev. Dustin Fineout 10/9/2009 9:12:16 AM
**/
function mysql_old_password_hash($input, $hex = true)
{
  $nr = 1345345333; $add = 7; $nr2 = 0x12345671; $tmp = null;
  $inlen = strlen($input);
  for ($i = 0; $i < $inlen; $i++) {
    $byte = substr($input, $i, 1);
    if ($byte == ' ' || $byte == "\t") continue;
    $tmp = ord($byte);
    $nr ^= ((($nr & 63) + $add) * $tmp) + (($nr << 8) & 0xFFFFFFFF);
    $nr2 += (($nr2 << 8) & 0xFFFFFFFF) ^ $nr;
    $add += $tmp;
  }
  $out_a = $nr & ((1 << 31) - 1);
  $out_b = $nr2 & ((1 << 31) - 1);
  $output = sprintf("%08x%08x", $out_a, $out_b);
  if ($hex) return $output;
  return hex_hash_to_bin($output);
} //END function mysql_old_password_hash

/**
 * MySQL "PASSWORD()" AKA MySQLSHA1 HASH FUNCTION
 * This is the password hashing function used in MySQL since version 4.1.1
 * By Rev. Dustin Fineout 10/9/2009 9:36:20 AM
**/
function mysql_password_hash($input, $hex = true)
{
  $sha1_stage1 = sha1($input, true);
  $output = sha1($sha1_stage1, !$hex);
  return $output;
} //END function mysql_password_hash

/**
 * Computes each hexidecimal pair into the corresponding binary octet.
 * Similar to mysql hex2octet function.
**/
function hex_hash_to_bin($hex)
{
  $bin = "";
  $len = strlen($hex);
  for ($i = 0; $i < $len; $i += 2) {
    $byte_hex = substr($hex, $i, 2);
    $byte_dec = hexdec($byte_hex);
    $byte_char = chr($byte_dec);
    $bin .= $byte_char;
  }
  return $bin;
} //END function hex_hash_to_bin

Hopefully someone else will find this useful as well :)

Dustin Fineout
Works perfect! Nice php implementation.
x2