Jump to content


Photo

md5() in mysql != md5() in php4 ???


  • Please log in to reply
1 reply to this topic

#1 Jointy

Jointy
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 22 October 2003 - 09:42 PM

hallo,

Ich habe folgene Situation...

eine mysql tabelle (das passwort wird als sha1() hash abgelegt !!!)

username password created ......

die abfrage dafür lautet

[php:1:42abf792f6]

$query = \"SELECT MD5(password+created) AS hash, username, created
FROM user WHERE LOWER(username) = \".$strtolower($username);

// mysql kramm

// prüfung
if( $buf[\"hash\"] != md5(sha1($password).$buf[\"created\"]) )
{
// Failed Login
}


[/php:1:42abf792f6]

der sha1 hash im password feld ist \"aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d\" und created ist \"2003-10-22 18:03:40\"

der hash von mysql ist dann \"1bda96f9c3d659c31df37f7f58d2d8d9\" aber der von

[php:1:42abf792f6]
$password = \"hello\";
md5(sha1($password).$buf[\"created\"]) = \"eef482911243878d5668b7d9ea0323be\"
[/php:1:42abf792f6]

weis vieleicht jemand warum das so ist ??

ich benutze
w2ksp4 apache 2.0.46 /w php 4.3.3 and mysql 3.23.57-nt

thx & cya
Jointy

#2 pauper_i

pauper_i
  • Members
  • PipPipPip
  • Advanced Member
  • 59 posts
  • LocationPhoenix, AZ, USA

Posted 25 October 2003 - 05:05 AM

Hi Jointy,

I\'m assuming you can probably read English so I\'ll keep it in this language so that others can check my answer:

From what I can understand with my very rusty German, you are not getting the same results from MySQL as you do from PHP with the MD5 checksum.

Looking at your code, however, you are using a double checksum and I think that that is where you may be hitting the problem. Try removing the SHA1 functions, leaving only the MD5 functions and it may cure your problem!

The SHA1 version is based on a different RFC from the MD5 version, although the two are fairly similar in their operation, the difference being the algorithm used where the MD5 version operates on 448 bits while the SHA1 version operates on 512 bits. You can read the RFCs for MD5 - RFC1321 and SHA-1 - RFC3174 for full details. (Is the SHA1 capability included in versions of both MySQL and PHP exported outside the US?)

Basically, you are calculating a checksum of the password, then creating a checksum of the checksum. I don\'t know whether you took this step in your original checksum of the database stored version, but one or the other is fine, you don\'t normally need both.

Could we see the code used to create the field \'MD5 AS hash\'?
Genius is one percent inspiration, and ninety-nine percent perspiration. [br]Thomas Alva Edison




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users