can md5 breakable?

[phpmady]

hi,

 

I am running my website, where hacker hacked my site and send me a message.

 

http://localhost/tr/trainers.php?do=show&Trainer_ID=-152+UNION%20SELECT%201,User_Password,3,4,5,6,7,8,9,10+from+users

 

by running this url i can get a encrypted pasword in my webpage

 

eventhough i got a encrypted password, i feared my site can be hacked.

 

thanks

[wildteen88]

You're not sanitizing your user input correctly. The hacker is using an attack known as SQL Injection to grab the passwords from your databases.

 

If Trainer_ID is only supposed to contain a number you should check this before you use it. I'd do something like this to make surer Trainer_ID is actually a number

if(isset($_GET['Trainer_ID']) && is_numeric($_GET['Trainer_ID']))
    $Trainer_ID = $_GET['Trainer_ID'];

Here we're checking to make sure the variable exists. Then we validate it to make sure it contains the data we're expecting in this case a number.

If you do not sanitize your user input then you will be prone to these kinds of attacks.

 

Have a read of this four part article for tips on writing secure PHP code.

 

[phpmady]

Hi,

 

ok now i have done some sanitizing, but still have doubt, whether MD5 is breakable?

 

[PaulRyan]

You cannot recover the original plaintext password from an MD5 value. The best you can do is to come up with some random string which happens to have the same MD5 hash. This may or may not be the original password; but if it has the same MD5 value, that's probably good enough to log in with.

 

But generating a hash collision on purpose (collision -> two strings hash to the same value) is almost impossible. It requires a huge amount of coordinated effort. It would take months or maybe years for hundreds of people working together to "break" a single MD5 hash and generate a string which matches that MD5 output.

 

So basically, MD5 is "secure enough" for most password uses. BUT if you are worried about hundreds of people launching a coordinated effort to break into your site, then maybe you should use the newer (and more complicated) SHA-1 hash instead of MD5. PHP now supports the sha1() function; eventually, everyone will need to move over to that ... and then to some stronger hashing function yet.

 

Ten years ago, cracking MD5 would have been totally impossible. But because of gains in computer speeds, today it's just a matter of dedication and effort. Ten years from now, MD5 might be breakable by a pocket calculator, and SHA1 will be pretty simple too. Cryptography and security are always evolving to stay one step ahead of brute force computer speed.

Regards, Paul.

[Pikachu2000]

Salt your hashes. Salting makes it much stronger.

[phpmady]

Hi,

 

Can i user this function

 

function sanitize_int($integer, $min='', $max='')

{

  $int = intval($integer);

  if((($min != '') && ($int < $min)) || (($max != '') && ($int > $max)))

    return FALSE;

  return $int;

}

 

instead of  (isset($_GET['Trainer_ID']) && is_numeric($_GET['Trainer_ID']))

 

 

You're not sanitizing your user input correctly. The hacker is using an attack known as SQL Injection to grab the passwords from your databases.

 

If Trainer_ID is only supposed to contain a number you should check this before you use it. I'd do something like this to make surer Trainer_ID is actually a number

if(isset($_GET['Trainer_ID']) && is_numeric($_GET['Trainer_ID']))
    $Trainer_ID = $_GET['Trainer_ID'];

Here we're checking to make sure the variable exists. Then we validate it to make sure it contains the data we're expecting in this case a number.

If you do not sanitize your user input then you will be prone to these kinds of attacks.

 

Have a read of this four part article for tips on writing secure PHP code.

[Username:]

Grammar is a fun thing.