md5 encryption

[Jay2391]

I am trying to imput a simple user and password but when i go to my sql i can see the name of the password...

some one told me about md5 but i do not know how to use it....check my code is not all there but at least the part need noticing

$self = $_SERVER['PHP_SELF'];
$loginName = $_POST['loginName'];
$password = $_POST['password'];



if((!$loginName) and (!$password)){
             
$form  ="Submit user";
$form.="<form action=\"$self\"";
$form.=" method=\"post\">Login Name:";
            $form.="<input type=\"text\" name=\"loginName\"";
$form.=" value=\"$loginName\"><br>Password:";
            $form.="<input type=\"text\" name=\"password\"";
$form.=" value=\"$password\"><br>";
$form.="<input type=\"submit\" value=\"Submit\">";
$form.="</form>";
echo ( $form );
}

[taith]

[code]$password = md5($_POST['password']);[/code]

[taith]

just  as a subnote... this is about 2-3x faster

Edited:
[code]
$password = bin2hex(md5($_POST['password']));
[/code]

basically the md5 encription "scrambles" the string, so you'd also need to md5() the passwords in the database... other then that... i'd need a little more code to see why your getting white page...

[Jay2391]

when I do that it stops working all toghether....I get a blank page no errors ....

[Jay2391]

i do not understand this ....

echo bin2hex(md5($str, TRUE));
???

[Jay2391]

Any Ideas ???of why that happend ???

[the_oliver]

So all the md5() part is doing is taking your origional 'word' used as a password, and changing it into a whole load of random letters and numbers.  For example if you type

[code]echo md5('password'); [/code]

your browser will print 5f4dcc3b5aa765d61d8327deb882cf99.  This is the 'md5 version' of the word password.  The idea basicly beeing that your not going to remember or reconise a random string of numbers and letters that long.  There for no one is going to know that 5f4dcc3b5aa765d61d8327deb882cf99 meens password.  The other important thing is that there is no way to reverse the prosses.  There is no way of typing in that random string and getting the word password back.

So the important thing is how you can use it.  For example, when a user registers on your site they type in the password they want into a text field.  Then your script will take this word and convert it into an md5 string : [code]md5($_POST['password'])[/code]
It is then this string, not the password that is stored in the database, meening no one can just reed the password off.

Next when the user tries to log in, you take agian the plaing word they type, convert it into and md5 string, and check this string against the one in the database, in exactly the same way you were with the strate text.

Dont forget however that you will have to convert all your old passwords to an md5 string.


Hope this makes sence.  Let us know how it goes.

[marcus]

You also want to make sure your password field in your database is atleast 32 characters (varchar(255))

[Who]

[quote author=mgallforever link=topic=117461.msg479382#msg479382 date=1165362586]
You also want to make sure your password field in your database is atleast 32 characters (varchar(255))
[/quote]

You mean make it CHAR(32). Making it a VARCHAR(255) is pointless. Even VARCHAR(32) would be better, from a theoretical standpoint, even though it would use up as much space as VARCHAR(255).

[marcus]

Yeah, I'm just pointing out the max for varchar is 255 characters

[redarrow]

a bit of advice md5 can be brute forced and i say it always good to use salt as well good luck.

[Jay2391]

I get all that but what I get is different ....

I have my field set up as a varchar (100) and my password is just the word Hello...

when i put this in

$password = md5($_POST['password']);

my page stops working when i take the md5 out it works but is not a password field.

[trq]

Post your code. This...

[code=php:0]
$password = md5($_POST['password']);
[/code]

should cause no such problems.

[Psycho]

[quote author=redarrow link=topic=117461.msg479470#msg479470 date=1165372948]
a bit of advice md5 can be brute forced and i say it always good to use salt as well good luck.
[/quote]

MD5 cannot be decrypted through brute force. It is a one way "hashing" and cannot be decrypted. Since an MD5 hash is a 32 character code, there are only a finite number of possible hashes, but you can hash an infinite number of values. In fact, for every MD5 has there is an infinite number of values that could have generated that hash. Those matches are called collisions.

However, there are dictionary lookup tables for MD5. This is a table that has hundreds or thousands of common words and phrases with their associated MD5 value. That is why using a "strong" password is important. And, MD5 could be cracked through brute force by trying password, after password in the login, but that is true of ANY sort of encryption or hashing,

[Jay2391]

This is the code....when i add the md5 to the password variable ... I get a blank page no errors... when i take it off i get a user name and password box and it adds the records but I can see the password.

so the issue is not that I put it in and it dosen't come as a password is that I get a blank page with no options



[attachment deleted by admin]

[Psycho]

Your query is most likely failing since your code would only output content tot he page if $result is valid. Try adding some debuggin. change your query call to this:

$result = mysql_query($sql, $tc) OR die ("The query:<br>".$sql."Caused the following error:<br>".mysql_error());

[Jay2391]

this is the error i got but line 36 is the end of the php code ???

now I am confuse




Parse error: parse error, unexpected $end in C:\XAMPP\xampp\htdocs\MDO\MD_User.php on line 36

[Jay2391]

I figure out the las erro i was missing a "}"

but now i get this

The query:INSERT INTO mdo_users ( loginName, password ) VALUES ( "", "d41d8cd98f00b204e9800998ecf8427e" )Caused the following error: Duplicate entry '' for key 1

[redbullmarky]

you need to set up an auto-incrementing primary (unique) key for the users table.

taith, just out of interest, why is this faster:

[quote author=taith link=topic=117461.msg479204#msg479204 date=1165343751]
just  as a subnote... this is about 2-3x faster

Edited:
[code]
$password = bin2hex(md5($_POST['password']));
[/code]
[/quote]
than the previously suggested $password = md5($_POST['password'])
?

[Psycho]

[quote author=redbullmarky link=topic=117461.msg480639#msg480639 date=1165514816]
you need to set up an auto-incrementing primary (unique) key for the users table.

taith, just out of interest, why is this faster:

[quote author=taith link=topic=117461.msg479204#msg479204 date=1165343751]
just  as a subnote... this is about 2-3x faster

Edited:
[code]
$password = bin2hex(md5($_POST['password']));
[/code]
[/quote]
than the previously suggested $password = md5($_POST['password']) ?
[/quote]
I was interested by that comment as well and did a test. My results found that using [b]$password = bin2hex(md5($_POST['password']));[/b] was approximately 50% [i]slower[/i] than using [b]$password = md5($_POST['password']);[/b]

Test setup:
[code]<?php
$_POST['password'] = "this is a password";

$time1 = microtime();
for ($i=0; $i<100000; $i++) {
    $password = md5($_POST['password']);
}
$time2 = microtime();

$time3 = microtime();
for ($i=0; $i<100000; $i++) {
    $password = bin2hex(md5($_POST['password']));
}
$time4 = microtime();

echo "MD5 encryption = " . ($time2-$time1);
echo "<br>BinHex w/MD5 encryption = " . ($time4-$time3);
?>[/code]

Results:
MD5 encryption = -0.429113
BinHex w/MD5 encryption = 0.692464

[drifter]

I was questioning the bin2hex thing as well - so I set up a quick test to run 1000 loops -

bin2hex wins, but the exact syntax is bin2hex(md5('word',true))

Here is the link

http://corelevelrea.com/test/isset.php?word=something

you can put in anything in query string for word and it will encode that.

3 times faster seems to be the case to me.

[code]
<?
$usethis='apple';
if($_GET['word']){
$usethis=$_GET['word'];
}

echo "1000 loops used<br>";
    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = bin2hex( md5($usethis, true) );
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'bin2hex( md5(\'' . $usethis . '\', true) ) - ' .$totaltime. ' seconds.<br>';

echo "<br>";

    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = md5($usethis);
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'md5(\'' . $usethis . '\') - ' .$totaltime. ' seconds.<br>';


?>
[/code]

[Jay2391]

I apreciate all the help my error is on the field where the post takes place it gives a value ....
like you see below I couldn't figure out what i did wrong but i created a table and make that my input field...
Thanks!!!
::)

If you know a better way on how to make this two post field i will apreciate your input!!!



if((!$loginName) and (!$password)){
             
     $form  ="Submit user";
     $form.="<form action=\"$self\"";
     $form.=" method=\"post\">Login Name:";
               $form.="<input type=\"text\" name=\"loginName\"";
     $form.=" value=\"$loginName\">
Password:";
               $form.="<input type=\"text\" name=\"password\"";
     $form.=" value=\"$password\">
";
     $form.="<input type=\"submit\" value=\"Submit\">";
     $form.="</form>";
     echo ( $form );
  }

[Psycho]

[quote author=drifter link=topic=117461.msg480673#msg480673 date=1165519551]
I was questioning the bin2hex thing as well - so I set up a quick test to run 1000 loops -

bin2hex wins, but the exact syntax is bin2hex(md5('word',true))

Here is the link

http://corelevelrea.com/test/isset.php?word=something

you can put in anything in query string for word and it will encode that.

3 times faster seems to be the case to me.

[code]
<?
$usethis='apple';
if($_GET['word']){
$usethis=$_GET['word'];
}

echo "1000 loops used<br>";
    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = bin2hex( md5($usethis, true) );
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'bin2hex( md5(\'' . $usethis . '\', true) ) - ' .$totaltime. ' seconds.<br>';

echo "<br>";

    $mtime = microtime(); $mtime = explode(' ', $mtime); $mtime = $mtime[1] + $mtime[0]; $starttime = $mtime;
for($i=0;$i<1000;$i++){
$hash = md5($usethis);
}
echo $hash ."<br>";
$mtime = microtime(); $mtime = explode(" ", $mtime); $mtime = $mtime[1] + $mtime[0]; $endtime = $mtime; $totaltime = ($endtime - $starttime); $starttime=$endtime; echo 'md5(\'' . $usethis . '\') - ' .$totaltime. ' seconds.<br>';


?>
[/code]
[/quote]

Because you have two different variables in that code, the results don't tell you much. If you used the TRU operator on the MD5 only encryption, it will run faster than the bin2hex & MD5. When conducting such tests you should only vary one variable.

[drifter]

OK I changed my code to see the extra test you mention. And you are right with out the bin2hex it is just as fast when including true. Only thing is that the output is different.

md5($something)==bin2hex(md5($something,true))
md5($something)!=md5($something,true)

bin2hex(md5($something,true)) is 3-5 times faster then md5($something)

[Psycho]

Wow, you are absolutely right. That makes no sense to me that you could get the same results from running the two operations AND having a faster response time. I could probably research it, but considering each operation takes around a millisecond I think I'll just accept it.