I am using PHP and Mysql. I want to know how to send password hashed using MD5 and want to check against it when the user tries to log in. I tried it, but it's not working properly. If anyone knows how to do it, please provide me the code.
+3
A:
//Register:
$the_magical_salt = "everybody_is_obsessed_with_these_days$3^^2)(%=-"; // Even_though_md5_shouldnt_be_used
mysql_query('insert into users values (NULL,'.$filtered_username.','.md5($password.$the_magical_salt).');');
//Login:
$res = mysql_query('select password from users where username = '.$filtered_username);
$res = mysql_fetch_array($res);
if(md5($_POST['password'].$the_magical_salt) == $res[0]) echo "Yeah, you're welcome.";
else echo "Wrong password sugar";
There's not much to it other than using the md5() function twice.
Robus
2010-07-22 02:35:06
You should use and store a salt - a random number - so as to prevent offline hashing attacks on the password. Also, MD5 is barely adequate as a hashing mechanism; it would not be recommended by people like Bruce Schneier (and has not been recommended for a number of years now).
Jonathan Leffler
2010-07-22 02:40:17
+1 because I've used something similar for wrong passwords. Oh the angry emails
Chris T
2010-07-22 02:44:24
@Robus - if you're going to bother with a salt, it should be cryptographically-unique per user and stored with the password in the database, not hardcoded in the PHP code.
John Rasch
2010-07-22 02:52:19
@John RaschWouldn't this make salts.. pointless? (I admit I'm not familiar with the topic as frameworks do this for me). I mean, wouldn't brute-forcing "password" and "password+salt", where salt is known, take the same amount of time?
Robus
2010-07-22 03:07:52
@Robus - the purpose of a salt is to prevent against brute-forcing against a *database* of users, not one specific user's password. If the salt is the same for every user, it's much, much easier (i.e. possible) to perform a rainbow attack against the database. The threat of a rainbow attack is dramatically decreased (i.e. essentially no chance) if there had to be one generated for every user (defeating the purpose of generating it in the first place.)
John Rasch
2010-07-22 03:15:54
+1
A:
md5 isn't very well suited to this purpose. Read this article to learn the hows and whys, but the short version is that you should use bcrypt instead. A quick Google shows that PHPass claims to support bcrypt.
Hank Gay
2010-07-22 02:42:42
A:
Without any more information it's going to be difficult to help you, but what I believe you want is Digest Authentication.
Here is an example (specifically Example #7) from the PHP documentation: http://php.net/manual/en/features.http-auth.php
Note that this type of authentication does not prevent against man-in-the-middle attacks. If, for example, someone is sniffing traffic on a victim's network, the attacker could simply replay the request with the digested username/password combination, and your PHP script would happily authenticate the attacker as the victim.
John Rasch
2010-07-22 02:45:57
I want to save password from php textfield to mysql table. Its a normal user registration and login system. I saved it using encryption in db but when I use a select query to check whether both the login password and the password that user have already provided are same, it gives me nothing even though they're same. I am confused now,
Mujahid
2010-08-01 04:13:19
OK Thanks everybody, I could do that, I saved it as MD5() and when I check the password I use same MD5() so it works fine :)
Mujahid
2010-08-27 05:59:14