Jump to content

Recommended Posts

I was doing some research and came across an interesting idea for preventing SQL injection, and just thought I'd run it by everyone for thoughts.  Yes, I know about mysql_real_escape_string and other methods, but this was just interesting to me.  Ill give a small example using a simple login checker.

 

//assign the md5 hash of the username and password
$name = md5($_POST['username']);
$pass = md5($_POST['password']);

//in the SQL statement, check the MD5 values of the fields
$sql="SELECT * FROM users WHERE users.username = MD5('$name') AND users.password = MD5('$pass')";
...

Theoretically you wouldn't need to run any sort of validation on the username and password as it takes the hashed value so any bad sql/javascript/etc statements would not be present.  Obviously you would need to do the checking on inserts, but if you are using it in a select would this be acceptable?  What say you?

 

Link to comment
https://forums.phpfreaks.com/topic/132603-using-md5-to-prevent-sql-injection/
Share on other sites

The main issue with that is, how are you going to display the username? What if you have another field a user can update, such as their birthdate? What if you have a biography field that you cannot MD5 cause you would not be able to retrieve it/the bio would get cut off...

 

Just not realistic. Better just to use the mysql function.

You wouldn't be storing the MD5 values in the database, only using them to check.  As I mentioned, you would of course need to properly escape things when doing an insert.

 

$user=md5("Fred");

$SQL = "SELECT * FROM users WHERE users.name = MD5('Fred')";

 

Since you are retrieving the values, including the user name, you would be able to display the proper user name as its not STORED hashed.  Its only checking the hashed value in the WHERE clause.

 

 

You'll never get a match that way. All your code is doing is applying another md5 to the already md5'd string. eg;

 

The database:

mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT * FROM test;
+--------+
| uname  |
+--------+
| thorpe | 
+--------+
1 row in set (0.00 sec)

mysql> 

 

foo.php:

#!/usr/bin/php
<?php

    mysql_connect('localhost','thorpe','*************') or die(mysql_error()."\n");
    mysql_select_db('foo') or die(mysql_error()."\n");

    $uname = md5('thorpe');

    $sql = "SELECT uname FROM test WHERE uname = MD5('$uname');";

    if ($result = mysql_query($sql)) {
        if (mysql_num_rows($result)) {
            $obj = mysql_fetch_object($result);
            echo $obj->uname."\n";
        } else {
            echo "No match found\n";
        }
    } else {
        echo mysql_error()."\n";
    }

?>

 

thorpe@panacea ~ # ./foo.php 
No match found

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.