Jump to content

Recommended Posts

 I have change my forum from and old version to a new version , old version used MD5 and new version uses MD5 and Salt as there secure password
 my members run a app that looks at there username and password from forum database and lets them record online lap times from a game.
 I cant get the app to see the password anymore the app looks at this peace of php code. Please can you help me.
 
 
 
 
 
 
 
                                THIS WORKED ON OLD FORUM WITH JUST MD5
 
 $mysqlcon = mysql_connect('localhost', 'user', 'password') or die('Could not connect: ' . mysql_error());
      
    mysql_select_db('database') or die('Could not select database');
    
    $passhash = md5($passwd );
     
    $authresult = mysql_query("SELECT username,password from forum_users WHERE username='$username' AND password='$passhash' ")
                                    or die('mysql error: ' . mysql_error() );
                          
                                
                                  
                                    
   -------------------------------------------------------------------------------------------------------------------
                          And this works on a temperary db with no MD5 or salt
                                    
                                     
     $authresult = mysql_query("SELECT username,password FROM forum_users  WHERE username='$username' AND password='$passwd' ")
         or die('mysql error: ' . mysql_error() );                                
                                     
                                     
                                     
    -------------------------------------------------------------------------------------------------------------                                 
                        THIS DOES NOT WORK ON NEW FORUM WITH MD5 and SALT             
                                     
  $mysqlcon = mysql_connect('localhost', 'user', 'password') or die('Could not connect: ' . mysql_error());
    
    mysql_select_db('database') or die('Could not select database');
    
       //I tryed this  $passhash == md5($salt['passwd'])
    // I tryed this  $passhash = md5($salt['passwd'])
    // I tryed this  $passhash == md5($passwd . salt );
    // I tryed this  $passhash = md5($passwd . salt );
     
    $authresult = mysql_query("SELECT username,password from forum_users WHERE username='$username' AND password='$passhash' ")
                                     or die('mysql error: ' . mysql_error() );  
      

 

Its been years sence my last codeings so i am a real newb again

Link to comment
https://forums.phpfreaks.com/topic/300638-md5-salt-problem/
Share on other sites

Your old saved md5 passwords in the database never had a salt, so adding a salt to new login will never be able to match.

 

You need to email all users a temp link or password to log in with and have them set a new password that now includes the salt

 

mysql_* functions are deprecated and should look into using mysqli_* or pdo

md5 is not safe to use because attackers can use rainbow tables and possible to discover it, use password_hash and password_verify instead

Link to comment
https://forums.phpfreaks.com/topic/300638-md5-salt-problem/#findComment-1530294
Share on other sites

I'm afraid you haven't just missed a few years. Your code is ~15 years out of date.

 

MD5 may have been acceptable in the 90s when PCs were relatively slow. Now it's 2016. A single stock PC can easily calculate billions(!) of MD5 hashes per second, which means you might as well store the passwords as plaintext. An attacker doesn't even care about your salts. The only way to keep your passwords relatively secure today is a specialized password hash algorithm like bcrypt.

 

The rest of your code doesn't really look any better:

  • The mysql_* functions are obsolete since more than a decade and have been removed from PHP. Nowadays, we use PDO.
  • You don't seem to escape your query input anywhere, which is a gigantic security risk. Nowadays, we use prepared statements.
  • The whole error handling is broken beyond repair. For some reason you think it's a good idea to display all internal error message to the user, making it easy for an attacker to gain information about your system.

Frankly, I doubt that your code can be fixed. Removing all the atrocities in this small snippet alone takes longer than starting from scratch. Mabe you should just write it off as a sin of your youth, learn how to program in the 21st century and start over.

Link to comment
https://forums.phpfreaks.com/topic/300638-md5-salt-problem/#findComment-1530295
Share on other sites

Your old saved md5 passwords in the database never had a salt, so adding a salt to new login will never be able to match.

 

You need to email all users a temp link or password to log in with and have them set a new password that now includes the salt

 

mysql_* functions are deprecated and should look into using mysqli_* or pdo

md5 is not safe to use because attackers can use rainbow tables and possible to discover it, use password_hash and password_verify instead

Old forum was e107 using MD5 new forum is mybb and I think it is MD5 With Salt and all members have re register there , I do have a temp login for them at this time but the password is in plaintext

that is why im trying to get the new forum login username password to work with the app they use to record online game times.

I will look Into pdo but first I would like to get old code to work , then il change it to be more secure.

Link to comment
https://forums.phpfreaks.com/topic/300638-md5-salt-problem/#findComment-1530304
Share on other sites

Yay. Here's your next batch of MD5 hashes, haveibeenpwned.com. What would the criminals do without PHP developers?

Im sorry if you think im trying to get my members pass words . I already can see them in my temp login

all Im trying to do is make my code work for my members securty

you can delete this this post if you are uncomfortable with it.

Link to comment
https://forums.phpfreaks.com/topic/300638-md5-salt-problem/#findComment-1530324
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.