CroNiX Posted November 13, 2008 Share Posted November 13, 2008 I was doing some research and came across an interesting idea for preventing SQL injection, and just thought I'd run it by everyone for thoughts. Yes, I know about mysql_real_escape_string and other methods, but this was just interesting to me. Ill give a small example using a simple login checker. //assign the md5 hash of the username and password $name = md5($_POST['username']); $pass = md5($_POST['password']); //in the SQL statement, check the MD5 values of the fields $sql="SELECT * FROM users WHERE users.username = MD5('$name') AND users.password = MD5('$pass')"; ... Theoretically you wouldn't need to run any sort of validation on the username and password as it takes the hashed value so any bad sql/javascript/etc statements would not be present. Obviously you would need to do the checking on inserts, but if you are using it in a select would this be acceptable? What say you? Quote Link to comment Share on other sites More sharing options...
premiso Posted November 13, 2008 Share Posted November 13, 2008 The main issue with that is, how are you going to display the username? What if you have another field a user can update, such as their birthdate? What if you have a biography field that you cannot MD5 cause you would not be able to retrieve it/the bio would get cut off... Just not realistic. Better just to use the mysql function. Quote Link to comment Share on other sites More sharing options...
CroNiX Posted November 13, 2008 Author Share Posted November 13, 2008 You wouldn't be storing the MD5 values in the database, only using them to check. As I mentioned, you would of course need to properly escape things when doing an insert. $user=md5("Fred"); $SQL = "SELECT * FROM users WHERE users.name = MD5('Fred')"; Since you are retrieving the values, including the user name, you would be able to display the proper user name as its not STORED hashed. Its only checking the hashed value in the WHERE clause. Quote Link to comment Share on other sites More sharing options...
premiso Posted November 13, 2008 Share Posted November 13, 2008 Honestly, if thats the way you want to do it I am sure that will prevent against SQL injection. Not sure which way would be better, but if it was me that would not be my choice. Quote Link to comment Share on other sites More sharing options...
trq Posted November 13, 2008 Share Posted November 13, 2008 You'll never get a match that way. All your code is doing is applying another md5 to the already md5'd string. eg; The database: mysql> use foo; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> SELECT * FROM test; +--------+ | uname | +--------+ | thorpe | +--------+ 1 row in set (0.00 sec) mysql> foo.php: #!/usr/bin/php <?php mysql_connect('localhost','thorpe','*************') or die(mysql_error()."\n"); mysql_select_db('foo') or die(mysql_error()."\n"); $uname = md5('thorpe'); $sql = "SELECT uname FROM test WHERE uname = MD5('$uname');"; if ($result = mysql_query($sql)) { if (mysql_num_rows($result)) { $obj = mysql_fetch_object($result); echo $obj->uname."\n"; } else { echo "No match found\n"; } } else { echo mysql_error()."\n"; } ?> thorpe@panacea ~ # ./foo.php No match found Quote Link to comment Share on other sites More sharing options...
Mchl Posted November 13, 2008 Share Posted November 13, 2008 This is just overcomplicating things IMHO. We're given attested escaping functions and should use them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.