ansaurus

Question

Answer 1

+3 A:

Check the query string by echoing to make sure that all vars are populated :

echo "SELECT emails_password, emails_id  FROM lala.in_emails  WHERE  emails_password ='".md5($password)."' AND emails_id='".$_COOKIE['LALA_ID']."'";

You shall get something like :

SELECT emails_password, emails_id FROM lala.in_emails WHERE emails_password ='098f6bcd4621d373cade4e832627b4f6' AND emails_id='some-emails-id'

Babiker 2010-06-28 06:07:27

Answer 2

+5 A:

Those single quotes (') around md5($password) should be removed. And no, MD5 hash does not change.

Apprentice Queue 2010-06-28 06:09:21

@Apprentice Queue, yep right, made a mistake here..thanks

tada 2010-06-28 06:15:30

...but added around '$password'

Col. Shrapnel 2010-06-28 06:17:21

`'md5($password)'` => `md5('$password')`, but you should hash the password in php not in sql: if something goes wrong then plaintext password will not be in mysql dumps. See @Babiker answer.

Imre L 2010-06-28 06:18:54

@knittl, the value of cookieID is the value of a table in DB with id PK, cookieID==row ID pk

tada 2010-06-28 06:51:17

@Imre L, I agree.

Apprentice Queue 2010-06-28 17:59:04

Answer 3

+2 A:

Your issue is Mysql syntax related, not hashes related.
Good practice would looks like this:

$password = md5($password.$global_salt.$_COOKIE['LALA_ID']);
$password = mysql_real_escape_string($password);
$lala_id  = mysql_real_escape_string($_COOKIE['LALA_ID']);
$query    = "SELECT emails_password,emails_id  FROM lala.in_emails  
             WHERE  emails_password ='$password' 
                AND emails_id='$lala_id'";
$result   = mysql_query($query) or trigger_error(mysql_error().$query);
if(mysql_num_rows($result)>0){echo "same pass";}

Thanks to Stephane and Imre L for their great comments, made this code better

Addendum: People in comments accused me for using escaping on MD5() function result.
I feel it's good point to be explained for the future readers:

If you think of data source of every particular variable - you're mixing layers.
MD5() do not do any "sanitization". It's just a coincidence that it's result contain no special characters. But one shouldn't think of this at all!
Database layer should be independent from context. It must be totally abstract. No matter how you validate your data - MD5, only latin letters, digits' etc - all this has nothing to do with database layer. DB layer should know noting of data source and form. It should just perform it's duty of making SQL of correct syntax. One day validation rule may change - for the plain password, or for some binary format may contain null byte, etc. Validation rules may change but database rules must remain the same.

Take prepared statements as an example:
Do you decide for the each variable, does it need binding or not? Nope - you're doing it unconditionally, for the every variable, no matter of it's form. So, escaping for the data in quotes should be.

Col. Shrapnel 2010-06-28 06:21:34

Now that's what I call paranoid, `mysql_real_escaping` an MD5 hash. ;)

deceze 2010-06-28 06:33:27

@deceze I share your humor :) but seriously: password storing form may change. Escaping strings must be just strict rule with no exceptions. Don't you call binding the same hash to the placeholder paranoid?

Col. Shrapnel 2010-06-28 06:38:45

there is nothing to escape in a hash. Using salt is good. If you want to do even better then you use hmac and something better than md5: `hash_hmac('ripemd160', $password, 'secretgolobalsalt');`

Imre L 2010-06-28 22:08:59

@Col. I agree that every value needs to be sanitized, but that sanitation does not need to be `mysql_real_escape_string`. `(int)$id` is a perfectly good sanitation as well, so is `md5()`.

deceze 2010-06-28 23:00:55

Good point, @deceze ! Really good point. I'll show you your fault. You're *mixing layers.* Database layer should be independent from context. It must be totally abstract. No matter how you validate your data - MD5, only latin letters, digits' etc - all this has nothing to do with database layer. DB layer should know noting of data source and form. It should just perform it's duty of making SQL of correct syntax. Validation rules may change but database rules must remain the same. And, honestly - there is very little of sanitization.

Col. Shrapnel 2010-06-29 05:53:28

@Col. Okay, point taken. Assuming that the `md5` line and the `mysql_real_escape` line would usually be in separate functions in separate modules and the database layer being much more generic than this example, of course you should always apply `mysql_real_escape`. Whenever they're this close together though (which in reality they *shouldn't* be), it's overkill.

deceze 2010-06-29 06:07:56

Answer 4

A:

1)escape $_COOKIE['LALA_ID'] with mysql_real_escape_string() to protect against SQL injections.

2)Use stronger version of hash, like sha512

3)If you so considered about protecting clients plain passwords then you could hash password in client side and send hash to server. On server hash it once again.

codez 2010-06-28 07:45:14

hashing on client is bad, you could then simply send the hash (after compromising the db)

knittl 2010-06-28 08:19:00

hashing on client side prevents from sending plain password over the net if you do not use https

codez 2010-06-29 10:07:44

ansaurus

tags:

views:

answers:

Is it possible to check a md5 password

related questions