Jump to content

md5 encryption


Jay2391

Recommended Posts

I am trying to imput a simple user and password but when i go to my sql i can see the name of the password...

some one told me about md5 but i do not know how to use it....check my code is not all there but at least the part need noticing

$self = $_SERVER['PHP_SELF'];
$loginName = $_POST['loginName'];
$password = $_POST['password'];



if((!$loginName) and (!$password)){
             
$form  ="Submit user";
$form.="<form action=\"$self\"";
$form.=" method=\"post\">Login Name:";
            $form.="<input type=\"text\" name=\"loginName\"";
$form.=" value=\"$loginName\"><br>Password:";
            $form.="<input type=\"text\" name=\"password\"";
$form.=" value=\"$password\"><br>";
$form.="<input type=\"submit\" value=\"Submit\">";
$form.="</form>";
echo ( $form );
}
Link to comment
Share on other sites

just  as a subnote... this is about 2-3x faster

Edited:
[code]
$password = bin2hex(md5($_POST['password']));
[/code]

basically the md5 encription "scrambles" the string, so you'd also need to md5() the passwords in the database... other then that... i'd need a little more code to see why your getting white page...
Link to comment
Share on other sites

So all the md5() part is doing is taking your origional 'word' used as a password, and changing it into a whole load of random letters and numbers.  For example if you type

[code]echo md5('password'); [/code]

your browser will print 5f4dcc3b5aa765d61d8327deb882cf99.  This is the 'md5 version' of the word password.  The idea basicly beeing that your not going to remember or reconise a random string of numbers and letters that long.  There for no one is going to know that 5f4dcc3b5aa765d61d8327deb882cf99 meens password.  The other important thing is that there is no way to reverse the prosses.  There is no way of typing in that random string and getting the word password back.

So the important thing is how you can use it.  For example, when a user registers on your site they type in the password they want into a text field.  Then your script will take this word and convert it into an md5 string : [code]md5($_POST['password'])[/code]
It is then this string, not the password that is stored in the database, meening no one can just reed the password off.

Next when the user tries to log in, you take agian the plaing word they type, convert it into and md5 string, and check this string against the one in the database, in exactly the same way you were with the strate text.

Dont forget however that you will have to convert all your old passwords to an md5 string.


Hope this makes sence.  Let us know how it goes.
Link to comment
Share on other sites

[quote author=mgallforever link=topic=117461.msg479382#msg479382 date=1165362586]
You also want to make sure your password field in your database is atleast 32 characters (varchar(255))
[/quote]

You mean make it CHAR(32). Making it a VARCHAR(255) is pointless. Even VARCHAR(32) would be better, from a theoretical standpoint, even though it would use up as much space as VARCHAR(255).
Link to comment
Share on other sites

I get all that but what I get is different ....

I have my field set up as a varchar (100) and my password is just the word Hello...

when i put this in

$password = md5($_POST['password']);

my page stops working when i take the md5 out it works but is not a password field.
Link to comment
Share on other sites

[quote author=redarrow link=topic=117461.msg479470#msg479470 date=1165372948]
a bit of advice md5 can be brute forced and i say it always good to use salt as well good luck.
[/quote]

MD5 cannot be decrypted through brute force. It is a one way "hashing" and cannot be decrypted. Since an MD5 hash is a 32 character code, there are only a finite number of possible hashes, but you can hash an infinite number of values. In fact, for every MD5 has there is an infinite number of values that could have generated that hash. Those matches are called collisions.

However, there are dictionary lookup tables for MD5. This is a table that has hundreds or thousands of common words and phrases with their associated MD5 value. That is why using a "strong" password is important. And, MD5 could be cracked through brute force by trying password, after password in the login, but that is true of ANY sort of encryption or hashing,
Link to comment
Share on other sites

This is the code....when i add the md5 to the password variable ... I get a blank page no errors... when i take it off i get a user name and password box and it adds the records but I can see the password.

so the issue is not that I put it in and it dosen't come as a password is that I get a blank page with no options



[attachment deleted by admin]
Link to comment
Share on other sites

Your query is most likely failing since your code would only output content tot he page if $result is valid. Try adding some debuggin. change your query call to this:

$result = mysql_query($sql, $tc) OR die ("The query:<br>".$sql."Caused the following error:<br>".mysql_error());
Link to comment
Share on other sites

you need to set up an auto-incrementing primary (unique) key for the users table.

taith, just out of interest, why is this faster:

[quote author=taith link=topic=117461.msg479204#msg479204 date=1165343751]
just  as a subnote... this is about 2-3x faster

Edited:
[code]
$password = bin2hex(md5($_POST['password']));
[/code]
[/quote]
than the previously suggested $password = md5($_POST['password'])
?
Link to comment
Share on other sites

[quote author=redbullmarky link=topic=117461.msg480639#msg480639 date=1165514816]
you need to set up an auto-incrementing primary (unique) key for the users table.

taith, just out of interest, why is this faster:

[quote author=taith link=topic=117461.msg479204#msg479204 date=1165343751]
just  as a subnote... this is about 2-3x faster

Edited:
[code]
$password = bin2hex(md5($_POST['password']));
[/code]
[/quote]
than the previously suggested $password = md5($_POST['password']) ?
[/quote]
I was interested by that comment as well and did a test. My results found that using [b]$password = bin2hex(md5($_POST['password']));[/b] was approximately 50% [i]slower[/i] than using [b]$password = md5($_POST['password']);[/b]

Test setup:
[code]<?php
$_POST['password'] = "this is a password";

$time1 = microtime();
for ($i=0; $i<100000; $i++) {
    $password = md5($_POST['password']);
}
$time2 = microtime();

$time3 = microtime();
for ($i=0; $i<100000; $i++) {
    $password = bin2hex(md5($_POST['password']));
}
$time4 = microtime();

echo "MD5 encryption = " . ($time2-$time1);
echo "<br>BinHex w/MD5 encryption = " . ($time4-$time3);
?>[/code]

Results:
MD5 encryption = -0.429113
BinHex w/MD5 encryption = 0.692464
Link to comment
Share on other sites

I was questioning the bin2hex thing as well - so I set up a quick test to run 1000 loops -

bin2hex wins, but the exact syntax is bin2hex(md5('word',true))

Here is the link

http://corelevelrea.com/test/isset.php?word=something

you can put in anything in query string for word and it will encode that.

3 times faster seems to be the case to me.

[code]
<?
$usethis='apple';
if($_GET['word']){
$usethis=$_GET['word'];
}

echo "1000 loops used<br>";
    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = bin2hex( md5($usethis, true) );
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'bin2hex( md5(\'' . $usethis . '\', true) ) - ' .$totaltime. ' seconds.<br>';

echo "<br>";

    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = md5($usethis);
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'md5(\'' . $usethis . '\') - ' .$totaltime. ' seconds.<br>';


?>
[/code]
Link to comment
Share on other sites

I apreciate all the help my error is on the field where the post takes place it gives a value ....
like you see below I couldn't figure out what i did wrong but i created a table and make that my input field...
Thanks!!!
::)

If you know a better way on how to make this two post field i will apreciate your input!!!



if((!$loginName) and (!$password)){
             
     $form  ="Submit user";
     $form.="<form action=\"$self\"";
     $form.=" method=\"post\">Login Name:";
               $form.="<input type=\"text\" name=\"loginName\"";
     $form.=" value=\"$loginName\">
Password:";
               $form.="<input type=\"text\" name=\"password\"";
     $form.=" value=\"$password\">
";
     $form.="<input type=\"submit\" value=\"Submit\">";
     $form.="</form>";
     echo ( $form );
  }
Link to comment
Share on other sites

[quote author=drifter link=topic=117461.msg480673#msg480673 date=1165519551]
I was questioning the bin2hex thing as well - so I set up a quick test to run 1000 loops -

bin2hex wins, but the exact syntax is bin2hex(md5('word',true))

Here is the link

http://corelevelrea.com/test/isset.php?word=something

you can put in anything in query string for word and it will encode that.

3 times faster seems to be the case to me.

[code]
<?
$usethis='apple';
if($_GET['word']){
$usethis=$_GET['word'];
}

echo "1000 loops used<br>";
    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = bin2hex( md5($usethis, true) );
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'bin2hex( md5(\'' . $usethis . '\', true) ) - ' .$totaltime. ' seconds.<br>';

echo "<br>";

    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = md5($usethis);
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'md5(\'' . $usethis . '\') - ' .$totaltime. ' seconds.<br>';


?>
[/code]
[/quote]

Because you have two different variables in that code, the results don't tell you much. If you used the TRU operator on the MD5 only encryption, it will run faster than the bin2hex & MD5. When conducting such tests you should only vary one variable.
Link to comment
Share on other sites

OK I changed my code to see the extra test you mention. And you are right with out the bin2hex it is just as fast when including true. Only thing is that the output is different.

md5($something)==bin2hex(md5($something,true))
md5($something)!=md5($something,true)

bin2hex(md5($something,true)) is 3-5 times faster then md5($something)

Link to comment
Share on other sites

Wow, you are absolutely right. That makes no sense to me that you could get the same results from running the two operations AND having a faster response time. I could probably research it, but considering each operation takes around a millisecond I think I'll just accept it.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.