using md5 for database communication

[Digitry Designs]

Hello and thank you for reading. I am using the md5 statement to send passwords to the database and verifying and what not. I have used this same code in the past and I am simply migrating it to another database and site.

 

So my question is, Does collation matter if I am using the md5 statement?

 

Thank you in advance

[ignace]

So my question is, Does collation matter if I am using the md5 statement?

 

No as it's one of the requirements for a hash-function.

 

How do you MD5 these password's? Like:

 

WHERE password = md5('$password');

 

Then your website is in danger as hacker's can use rainbow table's to retrieve a value that will match the MD5 stored in your database and it's best to use salt's like:

 

WHERE password = md5( concat( password_salt, md5( '$password' ) ) )

 

The hacker now isn't able to use a rainbow table as the retrieved value wouldn't be correct.

[ignace]

Take a look at http://www.php.net/manual/en/function.md5.php#81708

[Digitry Designs]

So my question is, Does collation matter if I am using the md5 statement?

 

No as it's one of the requirements for a hash-function.

 

How do you MD5 these password's? Like:

 

WHERE password = md5('$password');

 

Then your website is in danger as hacker's can use rainbow table's to retrieve a value that will match the MD5 stored in your database and it's best to use salt's like:

 

WHERE password = md5( concat( password_salt, md5( '$password' ) ) )

 

The hacker now isn't able to use a rainbow table as the retrieved value wouldn't be correct.

 

Thank you for your concern. I am not sure that it being required as a hash function answered my question or that maybe i did not understand it.

 

Also I am a bit new with login scripting and so forth but here is what I have.

 

<?php
(((((my sql connect info))))))

function cleanString($string){
        htmlentities(mysql_real_escape_string($string));
        return $string;
    }
    if(!$_SESSION['username'] || !$_SESSION['password']){
        $loggedIn = False;

	   

    } else {
        $loggedIn = True;
    } 

<<<<<<<<this splits what is 2 files. Above is the session handler file, and the below is the login processing file.>>>>>>>>>>
<there is an include_function here to include the above file>

$username = cleanString($_POST['username']);
    $password = md5($_POST['password']); 


//If the fields are empty you must go back and fill them out
    if(empty($username) || empty($password)){
        echo 'You must enter a username and password!';
    } 

//lets compare the username to others in the database for a match
    else{
        $sql = mysql_query("SELECT * FROM users WHERE username='$username'");
        if(mysql_num_rows($sql) < 1){
            echo 'That username does not exist.';
        }  

//if we do have a username match, now we can compare the username password to see if it is a match as well
        else{
            $sql2 = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
            if(mysql_num_rows($sql2) < 1){
                echo 'Your password is incorrect.';
            }  

//since everything worked out, lets log the user in
            else{
                $_SESSION['username'] = $username;
                $_SESSION['password'] = $password;
			echo '<meta HTTP-EQUIV="REFRESH" content="0; url=mail.php">';
            }
        }
    }
?>  

 

how do I make it more secure and how do I make it so i can log in? every time i try it says i put in the wrong password.

Any ideas?

Thank you for your help.

[ignace]

The cleaning function I would write as:

 

if (!function_exists('get_magic_quotes_gpc')) {
  function get_magic_quotes_gpc() {
    return false;
  }
}

function clean($value, $charset = 'ISO-8859-1', $allowed_tags = '') {
  $value = trim($value);
  $value = strip_tags($value, $allowed_tags);
  $value = htmlentities($value, ENT_QUOTE, $charset);
  $temp = @mysql_real_escape_string($value)
      ? $value = $temp
      : $value = get_magic_quotes_gpc() ? $value : addslashes($value);
  return $value;
}

 

The login implementation could be:

 

function validUsername($username) {/*implementation*/}
function validPassword($password) {/*implementation*/}

function findUserByCredentials($username, $password, $result_type = MYSQL_ASSOC) {
  $username = clean($username);
  $password = clean($password);
  
  $query = "SELECT id, username FROM users WHERE username = '$username'
    AND password = sha1( concat( password_salt, sha1( '$password' ) ) )";
  $result = mysql_query($query);
  return false !== $result && mysql_num_rows($result) === 1 ? mysql_fetch_array($result, $result_type) : array();
}

function verifyUser($user) {
  if (!session_id()) session_start();
  $_SESSION = array_merge($_SESSION, $user);
  return true;
}

define('LOGIN_OK', 1);
define('LOGIN_EMPTY', 2);
define('LOGIN_INVALID', 4);
define('LOGIN_NOT_FOUND', ;

function login($username, $password) {
  $username = clean($username);
  $password = clean($password);
  
  if (empty($username) || empty($password)) return LOGIN_EMPTY;
  if (!validUsername($username) || !validPassword($password)) return LOGIN_INVALID;
  
  $user = findUserByCredentials($username, $password);
  if (empty($user)) return LOGIN_NOT_FOUND;
  
  verifyUser($user);
  return LOGIN_OK;
}