Jump to content

using md5 for database communication

Digitry Designs

By Digitry Designs
in PHP Coding Help

Recommended Posts

Digitry Designs Member

Digitry Designs

Posted
Posted

Hello and thank you for reading. I am using the md5 statement to send passwords to the database and verifying and what not. I have used this same code in the past and I am simply migrating it to another database and site.

 

So my question is, Does collation matter if I am using the md5 statement?

 

Thank you in advance

Link to comment
https://forums.phpfreaks.com/topic/200192-using-md5-for-database-communication/
Share on other sites
ignace Advanced Member

ignace

Posted
Posted
So my question is, Does collation matter if I am using the md5 statement?

 

No as it's one of the requirements for a hash-function.

 

How do you MD5 these password's? Like:

 

WHERE password = md5('$password');

 

Then your website is in danger as hacker's can use rainbow table's to retrieve a value that will match the MD5 stored in your database and it's best to use salt's like:

 

WHERE password = md5( concat( password_salt, md5( '$password' ) ) )

 

The hacker now isn't able to use a rainbow table as the retrieved value wouldn't be correct.

Digitry Designs Member

Digitry Designs

Posted
  • Author
Posted

So my question is, Does collation matter if I am using the md5 statement?

 

No as it's one of the requirements for a hash-function.

 

How do you MD5 these password's? Like:

 

WHERE password = md5('$password');

 

Then your website is in danger as hacker's can use rainbow table's to retrieve a value that will match the MD5 stored in your database and it's best to use salt's like:

 

WHERE password = md5( concat( password_salt, md5( '$password' ) ) )

 

The hacker now isn't able to use a rainbow table as the retrieved value wouldn't be correct.

 

Thank you for your concern. I am not sure that it being required as a hash function answered my question or that maybe i did not understand it.

 

Also I am a bit new with login scripting and so forth but here is what I have.

 


<?php
(((((my sql connect info))))))

function cleanString($string){
        htmlentities(mysql_real_escape_string($string));
        return $string;
    }
    if(!$_SESSION['username'] || !$_SESSION['password']){
        $loggedIn = False;

	   

    } else {
        $loggedIn = True;
    } 

<<<<<<<<this splits what is 2 files. Above is the session handler file, and the below is the login processing file.>>>>>>>>>>
<there is an include_function here to include the above file>

$username = cleanString($_POST['username']);
    $password = md5($_POST['password']); 


//If the fields are empty you must go back and fill them out
    if(empty($username) || empty($password)){
        echo 'You must enter a username and password!';
    } 

//lets compare the username to others in the database for a match
    else{
        $sql = mysql_query("SELECT * FROM users WHERE username='$username'");
        if(mysql_num_rows($sql) < 1){
            echo 'That username does not exist.';
        }  

//if we do have a username match, now we can compare the username password to see if it is a match as well
        else{
            $sql2 = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
            if(mysql_num_rows($sql2) < 1){
                echo 'Your password is incorrect.';
            }  

//since everything worked out, lets log the user in
            else{
                $_SESSION['username'] = $username;
                $_SESSION['password'] = $password;
			echo '<meta HTTP-EQUIV="REFRESH" content="0; url=mail.php">';
            }
        }
    }
?> 

 

how do I make it more secure and how do I make it so i can log in? every time i try it says i put in the wrong password.

Any ideas?

Thank you for your help.

ignace Advanced Member

ignace

Posted
Posted

The cleaning function I would write as:

 

if (!function_exists('get_magic_quotes_gpc')) {
  function get_magic_quotes_gpc() {
    return false;
  }
}

function clean($value, $charset = 'ISO-8859-1', $allowed_tags = '') {
  $value = trim($value);
  $value = strip_tags($value, $allowed_tags);
  $value = htmlentities($value, ENT_QUOTE, $charset);
  $temp = @mysql_real_escape_string($value)
      ? $value = $temp
      : $value = get_magic_quotes_gpc() ? $value : addslashes($value);
  return $value;
}

 

The login implementation could be:

 

function validUsername($username) {/*implementation*/}
function validPassword($password) {/*implementation*/}

function findUserByCredentials($username, $password, $result_type = MYSQL_ASSOC) {
  $username = clean($username);
  $password = clean($password);
  
  $query = "SELECT id, username FROM users WHERE username = '$username'
    AND password = sha1( concat( password_salt, sha1( '$password' ) ) )";
  $result = mysql_query($query);
  return false !== $result && mysql_num_rows($result) === 1 ? mysql_fetch_array($result, $result_type) : array();
}

function verifyUser($user) {
  if (!session_id()) session_start();
  $_SESSION = array_merge($_SESSION, $user);
  return true;
}

define('LOGIN_OK', 1);
define('LOGIN_EMPTY', 2);
define('LOGIN_INVALID', 4);
define('LOGIN_NOT_FOUND', ;

function login($username, $password) {
  $username = clean($username);
  $password = clean($password);
  
  if (empty($username) || empty($password)) return LOGIN_EMPTY;
  if (!validUsername($username) || !validPassword($password)) return LOGIN_INVALID;
  
  $user = findUserByCredentials($username, $password);
  if (empty($user)) return LOGIN_NOT_FOUND;
  
  verifyUser($user);
  return LOGIN_OK;
}

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.