Using MD5 to prevent SQL injection?

[CroNiX]

I was doing some research and came across an interesting idea for preventing SQL injection, and just thought I'd run it by everyone for thoughts.  Yes, I know about mysql_real_escape_string and other methods, but this was just interesting to me.  Ill give a small example using a simple login checker.

 

//assign the md5 hash of the username and password
$name = md5($_POST['username']);
$pass = md5($_POST['password']);

//in the SQL statement, check the MD5 values of the fields
$sql="SELECT * FROM users WHERE users.username = MD5('$name') AND users.password = MD5('$pass')";
...

Theoretically you wouldn't need to run any sort of validation on the username and password as it takes the hashed value so any bad sql/javascript/etc statements would not be present.  Obviously you would need to do the checking on inserts, but if you are using it in a select would this be acceptable?  What say you?

 

[premiso]

The main issue with that is, how are you going to display the username? What if you have another field a user can update, such as their birthdate? What if you have a biography field that you cannot MD5 cause you would not be able to retrieve it/the bio would get cut off...

 

Just not realistic. Better just to use the mysql function.

[CroNiX]

You wouldn't be storing the MD5 values in the database, only using them to check.  As I mentioned, you would of course need to properly escape things when doing an insert.

 

$user=md5("Fred");

$SQL = "SELECT * FROM users WHERE users.name = MD5('Fred')";

 

Since you are retrieving the values, including the user name, you would be able to display the proper user name as its not STORED hashed.  Its only checking the hashed value in the WHERE clause.

 

 

[premiso]

Honestly, if thats the way you want to do it I am sure that will prevent against SQL injection.

 

Not sure which way would be better, but if it was me that would not be my choice.

[trq]

You'll never get a match that way. All your code is doing is applying another md5 to the already md5'd string. eg;

 

The database:

mysql> use foo;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT * FROM test;
+--------+
| uname  |
+--------+
| thorpe | 
+--------+
1 row in set (0.00 sec)

mysql> 

 

foo.php:

#!/usr/bin/php
<?php

    mysql_connect('localhost','thorpe','*************') or die(mysql_error()."\n");
    mysql_select_db('foo') or die(mysql_error()."\n");

    $uname = md5('thorpe');

    $sql = "SELECT uname FROM test WHERE uname = MD5('$uname');";

    if ($result = mysql_query($sql)) {
        if (mysql_num_rows($result)) {
            $obj = mysql_fetch_object($result);
            echo $obj->uname."\n";
        } else {
            echo "No match found\n";
        }
    } else {
        echo mysql_error()."\n";
    }

?>

 

thorpe@panacea ~ # ./foo.php 
No match found

[Mchl]

This is just overcomplicating things IMHO. We're given attested escaping functions and should use them.