ansaurus

Question

Answer 1

+4 A:

Why do you want to use mysql password() function? Even the Mysql documentation advises against this:

http://dev.mysql.com/doc/refman/5.0/en/encryption-functions.html#function_password

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications

You can use md5() for example, wich is present in almost every programming language, php and perl included.

Davide Gualano 2008-11-03 23:04:53

MD5 has been broken. So has SHA1. NIST recommends using a SHA-2 family function such as SHA224, SHA256, SHA384 or SHA512. http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

jakber 2008-11-03 23:18:31

The thread starter just wanted to create a hash, and did not say he would use it for storing passwords, so I didn't mind about the strength of the md5 algorithm.

Davide Gualano 2008-11-03 23:22:18

Why do you care what he wants the function for? He didn't say he was using it in an application, and specifically stated he didn't want to use MD5.

Keith Palmer 2009-10-07 12:18:36

Answer 2

+8 A:

If you are interested in the algorithm of this function, download the source code and see the file sql/password.c, or check this implementation.

CMS 2008-11-03 23:06:26

I don't know why you haven't been up-voted more, you're the only one in the thread who actually answered the guys question... go you!

Keith Palmer 2009-10-07 12:17:04

Indeed. I too came here looking for the actual algorithm. It's not in the MySQL documentation. Thanks CMS.

Omniwombat 2010-05-01 18:35:54

Answer 3

+4 A:

I originally stumbled across this question in my own search for a PHP implementation of the two MySQL password hashing functions. I was unable to find any implementations, so I adapted my own from the MySQL source code (sql/password.c). The following are tested and working in PHP 5.2:

// The following is free for any use provided credit is given where due.
// This code comes with NO WARRANTY of any kind, including any implied warranty.

/**
 * MySQL "OLD_PASSWORD()" AKA MySQL323 HASH FUNCTION
 * This is the password hashing function used in MySQL prior to version 4.1.1
 * By Rev. Dustin Fineout 10/9/2009 9:12:16 AM
**/
function mysql_old_password_hash($input, $hex = true)
{
  $nr = 1345345333; $add = 7; $nr2 = 0x12345671; $tmp = null;
  $inlen = strlen($input);
  for ($i = 0; $i < $inlen; $i++) {
    $byte = substr($input, $i, 1);
    if ($byte == ' ' || $byte == "\t") continue;
    $tmp = ord($byte);
    $nr ^= ((($nr & 63) + $add) * $tmp) + (($nr << 8) & 0xFFFFFFFF);
    $nr2 += (($nr2 << 8) & 0xFFFFFFFF) ^ $nr;
    $add += $tmp;
  }
  $out_a = $nr & ((1 << 31) - 1);
  $out_b = $nr2 & ((1 << 31) - 1);
  $output = sprintf("%08x%08x", $out_a, $out_b);
  if ($hex) return $output;
  return hex_hash_to_bin($output);
} //END function mysql_old_password_hash

/**
 * MySQL "PASSWORD()" AKA MySQLSHA1 HASH FUNCTION
 * This is the password hashing function used in MySQL since version 4.1.1
 * By Rev. Dustin Fineout 10/9/2009 9:36:20 AM
**/
function mysql_password_hash($input, $hex = true)
{
  $sha1_stage1 = sha1($input, true);
  $output = sha1($sha1_stage1, !$hex);
  return $output;
} //END function mysql_password_hash

/**
 * Computes each hexidecimal pair into the corresponding binary octet.
 * Similar to mysql hex2octet function.
**/
function hex_hash_to_bin($hex)
{
  $bin = "";
  $len = strlen($hex);
  for ($i = 0; $i < $len; $i += 2) {
    $byte_hex = substr($hex, $i, 2);
    $byte_dec = hexdec($byte_hex);
    $byte_char = chr($byte_dec);
    $bin .= $byte_char;
  }
  return $bin;
} //END function hex_hash_to_bin

Hopefully someone else will find this useful as well :)

Dustin Fineout 2009-10-09 13:45:13

Works perfect! Nice php implementation.

x2 2009-10-21 04:12:09

ansaurus

tags:

views:

answers:

MySQL Hashing Function Implementation

related questions