md5 ruining my form?!

[Edward]

 

Hi,

 

I'm trying to increase the security of my form by adding a random token as recommended on many sites, however when I create a variable using md5 it ruins my page and nothing after this is displayed. Here's my code so far:

 

function form() {

$token = md5(uniqid());
?>
<p><img src="images/folder_blue_level0_open.gif" width="40" height="40" alt="" border="0" align="absmiddle" />Add a Folder</p>
<p>Note: You cannot create folders deeper than 3 levels.</p>
<form action="<?php echo $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; ?>" method="post">
<p>Folder Name: <input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="20" maxlength="100"><br />
Description: <input type="text" name="description" value="<?php echo $_POST['description']; ?>" size="20" maxlength="100"><br />
// Rest of form...

 

The page loads because the tital is shown, but the page is blank. Without the md% line everything works ok. Can anyone tell me why?

[pocobueno1388]

Are you using PHP 5 or above? Using -

md5(uniqid());

only works with PHP5 and above.

[poirot]

There is probably something wrong with the code and it is outputting some kind of error and it is messing the HTML.

 

You should try to actually see the generated source code to have a better idea, but I guess the problem lies in using uniqid() without prefix, as this works only with PHP >=5 .

 

http://www.php.net/uniqid

[Full-Demon]

MD5 can be hacked easily. Hackerz made huge databases of all possible variations. You should use several encryptions together. Although this is off-topic, I would like to remind you of that.

 

Full-Demon

[poirot]

MD5 can be hacked easily. Hackerz made huge databases of all possible variations. You should use several encryptions together. Although this is off-topic, I would like to remind you of that.

 

Full-Demon

He's using it for tokens.

[neel_basu]

Use this function to Hash it

<?php
function hash_it($str)
{
	return base64_encode(bin2hex(mhash(MHASH_SHA1, $str)));
}
echo hash_it("String");
?>

You can also use MHASH_SHA512 here

Actually I am just copy pasting the function from UMS Class

[pocobueno1388]

neel_basu - The problem there is they would have to insert a string. Maybe you could use microtime to create an ID?

[neel_basu]

neel_basu - The problem there is they would have to insert a string. Maybe you could use microtime to create an ID?

Are you talking about mCrypt ?? When you are using SHA algo. Why do you need that microtime ?? I didn't understand.

[otuatail]

I have playe with this. The way I sorted it out was to use a session variable and the unix date stamp as this is unique to the second, merging this with ID's etc. works for me.

 

this is what I used, but this is only part of it.

function codec()

{

    $stamp1 = time();

    $stamp2 = strtotime("1 January 2006");

    $stamp3 = $stamp1 - $stamp2 + 100000000;

    $stamp3 = substr($stamp3 , -6);

    return $stamp3;

}

 

 

Php

$key = codec();

$_SESSION['Core'] = $key;

$_SESSION['Base'] = $key . $ID;

 

Admitadly Sessions do time out but that's not a problem.

 

Desmond.

 

[Edward]

I'm using PHP 5.1.6 on my local server. I need to create a secure token for a log in, and as soon as I set a sesion variable, the code breaks, I've stripped it down to try and find the problem but I can't see anything wrong?..

 

<doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
<meta http-equiv=content-type content="text/html;  charset=iso-8859-1" />
<meta name="keywords" content="KEYWORDS" />
<meta name="description" content="CONTENT" />
<title>FTP</title>
<link href="css/global.css" rel="stylesheet" type="text/css" />
<link rel="Shortcut Icon" href="favicon.ico" />
</head>
<body bgcolor="#FFFFFF" marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">
<?php
session_start();
$token = md5(uniqid(rand(), TRUE)); // creates a random string of lowercase letters and numbers, 32 characters long - PHP5 or above!
$_SESSION['token'] = $token;
//$_SESSION['token_time'] = time();
?>
</body>
</html>

 

I'm seeing:

Parse error: syntax error, unexpected T_STRING in /home/beat0001/public_html/test.php on line 14

 

[neel_basu]

Whats on line number 14. the code block you have posted doesn't contain any SYNTAX ERRORS. But Dont make any output before session_start(). Use session_start(). on the very first line.

[kenrbnsn]

This modification of your code works fine:

<?php
session_start();
$token = md5(uniqid(rand(), TRUE)); // creates a random string of lowercase letters and numbers, 32 characters long - PHP5 or above!
$_SESSION['token'] = $token;
$_SESSION['token_time'] = time();
?>
<!DOCTYPE html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
<meta http-equiv=content-type content="text/html;  charset=iso-8859-1" />
<meta name="keywords" content="KEYWORDS" />
<meta name="description" content="CONTENT" />
<title>FTP</title>
<style type="text/css">
body, html {
background-color: #ffffff;
margin: 0;
}
</style>
</head>
<body>
This is a test
<?php
echo '<pre>' . print_r($_SESSION,true) . '</pre>';
?>
</body>
</html>

 

Notice, I moved the "session_start()" to the very beginning of the script.

 

Ken

[neel_basu]

Ya now its ok

[Psycho]

MD5 can be hacked easily. Hackerz made huge databases of all possible variations. You should use several encryptions together. Although this is off-topic, I would like to remind you of that.

 

Full-Demon

 

You don't seem to understand the difference between a hash and an encryption method. There was never any "mystery" concerning the possible variations - there are a finite number of possible MD5 hashes. Those databases of MD5 values are not reliable because there is no 1 to 1 correlation between a value and an MD5 hash.

 

If it is so easy to hack, please tell me what value I used to generate this MD5 hash: af338e4dd743d8897eea5420f20c46c0

[neel_basu]

No Sometimes it can be decrypted (Guessed).

It doesn't matters wheather its easy or hard to decrypt it. The matter is as it can be decryptrd its not safe.

[Psycho]

MD5 is NOT encryption, therefore it cannot be "decrypted". There is no 1 to 1 correllation between a value and it's MD5 hash. Encryption and Hashes are two entirely differnt things. Anyone can create a database of values and their respective Hash values for any schema. That is why 1) developers should use a salt when creating their hashes and 2) users should use "strong" passwords.

 

Again, I challenge anyone to tell me the value I used to create the hash above.

[neel_basu]

PLease Confirm did you made that hash with characters and numbers only or also with symbols

[Psycho]

PLease Confirm did you made that hash with characters and numbers only or also with symbols

 

If you were a hacker would I tell you?

 

Ok, I'll make it easy on you. It was made with letters and spaces only.

[freakus_maximus]

This is my password : thisismypassword

 

This is the md5 hash for my password : 31435008693ce6976f45dedc5532e2c1

 

This is my password and and my salt : thisismypassword!&%$123!

 

This is my md5 hash with my salt: 3786059017b50b6752e204025a5bc8ce

 

Your salt is added to help mix it up. Unless someone knows your salt then having your password is meaninless. So, where does my salt come from? Easy, I make it up, keeping it random and as obscure as possible.

 

As a side note, I prefer to use a pass phrase as opposed to a pass word. This again adds to the complexity. Even if you have a db with every word in the dictionary and its corrosponding md5 hash, so what. If I am using a phrase and my salt it still it still be enough to buy you a cup of coffee.

 

Nothing is 100%, but this makes it just that much more difficult.

[hitman6003]

The only known "hack" for md5 is to find a collision for a given hash.  This means that rather than trying a reverse lookup for a hash, to find another phrase that generates the same hash.

 

Which is grand and all...apparently some people have found a way to do it in less than 60 seconds (http://cryptography.hyperlink.cz/MD5_collisions.html), however, none of that matters if they don't know what the hash is to begin with.  So, in order for someone to gain access to the password protected content, they would have to gain access to the database, retrieve that user's password hash, find a collision, then use it to gain access...which begs the question, why go to the trouble of finding the collision if they have access to the database anyway?

 

More information can be found here:

http://en.wikipedia.org/wiki/MD5

http://www.unixwiz.net/techtips/iguide-crypto-hashes.html

http://www.cryptography.com/cnews/hash.html

[neel_basu]

No Its Week according to logic of maths and probability and statistics.

Look there is a finite and limited number of md5 hashes. Let the number is n. So if there is n+1 visitors in your system their Hashes will be equal although their password is different. So one can access anothers account with different password.

[hitman6003]

Well, lets do some simple math here...md5 is a 128 bit hash.  This means that there is 2^128 possible hashes...which I think comes to something like 3.4028 * 10^38 possible hashes.  So, unless there are something along the lines of many billion billion billion users to a website, it's not going to happen.

 

To put it another way, you, your parents, your grandparents, your dog, his parents, and his grandparents all have a better chance of winning every lottery in the world, at the exact same time, than finding a collision "by chance".

[neel_basu]

But what you told

simple math

its NOT IMPOSSIBLE according to mathamatics.

msn Uses SHA1

[hitman6003]

Yep, anything is possible...in fact I just won the lottery, was struck by lightning, and hit by a meteorite...all at the very same instant...and it's half price snow cone day in hell...and the devil is giving free sleigh rides...and the ice cube safely traversed hell's fire fields.  It's all mathematically possible.

 

Good luck with that whole "hacking" md5 thing.......

[Psycho]

But what you told

simple math

its NOT IMPOSSIBLE according to mathamatics.

msn Uses SHA1

Yes, it is "possible", but you must consider that there is a finite number of possible passwords. A site will limit the minimum and maximum length for a password and there is only a certain number of characters that will be allowed for a password (i.e. no accented characters). That coupled with the fact that the password hash must be associated with the username the odds of someone using the wrong password to access an account are so statistically improbably that it would realistically be considered impossible.

 

I'm still waiting for the string I used to create the hash above since MD5 is so easy to crack. I'll even give you the number of characters: 44. You have WAY more information than any cracker would, but I still bet you will not determine the original value.