un-md5 something

[jesushax]

if there is such a term

 

when editing my users

 

ive md5'd the id

 

but to show the records of the user where UserID='".$ID."'"

 

i need to get the querystring back to orginal id as it obvisouly wont find the md5'd version in my db

 

Cheers

 

[trq]

if there is such a term

 

when editing my users

 

ive md5'd the id

 

but to show the records of the user where UserID='".$ID."'"

 

i need to get the querystring back to orginal id as it obvisouly wont find the md5'd version in my db

 

Cheers

 

 

All you need do is use something like.... where UserID='". md5($ID) ."'"

 

You cannot undo an md5.

[jesushax]

so

 

$ID = $_GET(md5["ID"]);

 

would bring the correc id to my scripts?

[MadTechie]

think of MD5 as one-way you can't undo it,

its mainly used for passwords, for example

just say md5("helloworld") = "ABCDE123458"

Now i can't convert ABCDE123458 back to helloworld but i can re-create ABCDE123458 using helloworld

 

 

now in your example i assume you have an ID in the database ie 1,2,3,4 etc and your passing the ID via get but hashing it first.. now what you can do is MD5 the field ID and then compare ie

"SELECT * from `table` where MD5(ID) = {$_GET['ID']};";

 

so instead of un-MD5-ing your MD5 your existing results to match!

 

make sense ?

[jesushax]

this

 

$ID = $_GET["ID"];
$UserResult = mysql_query("SELECT * FROM tblUsers WHERE md5(UserID)=".$ID." ")or die (mysql_error());

 

it doent work i get unknown column error

 

is it right?

 

cheers

[MadTechie]

try this

$ID = $_GET["ID"];
$UserResult = mysql_query("SELECT * FROM tblUsers WHERE md5(UserID)='".$ID."' ")or die (mysql_error());

 

you need the qutoes as your dealing with a string

[jesushax]

works a treat

 

thanks for your input

[skidz]

you could of echo'd your query to see if everything was ok with it, its always my first point of call when something goes wrong!

[PFMaBiSmAd]

You are going to have another problem with your query. MD5 values are not unique. There are a limited number of different md5 values and several different starting values give the same md5 value.

 

In a query where you are checking for something like a unique username and a md5 of a password, the unique username will find the correct record and then the comparison of the md5 of the password will tell you if they entered the correct password.

 

Doing a query using only the md5 value will potentially return multiple rows, so you what you are currently doing is a non-unique identifier and cannot be guaranteed to always work.

[MadTechie]

very true MD5 does have collisions but for a collision between two integers your need a massive amount of records..

 

But what your saying is a very valid point

[haku]

I'm under the impression that sha1 is better than md5. Anyone know whether that is accurate or not?

[MadTechie]

sha1 is faster and more secure..

[deadonarrival]

Sha1 has been cracked(? or close to it), md5 has various rainbow tables available and isn't too secure.

 

Try sha512, or if you can use AES or BlowFish (I think those are the terms anyway)

 

Personally I think sha512 with salting does the job

[MadTechie]

without getting into the long posts about whats been cracked..

 

if i posted a MD5 with salt can you crack it ?

 

i assume no.. thus

 

sha512 isn't part of PHP

AES and BlowFish are TWO way encryption.. not great for passwords as they can be reversed..

[haku]

Sha1 has kind of been cracked, but you would need a multimillion dollar super computer to actually do that cracking.

[jesushax]

so what else can i use to keep user ids secure? instead of md5'ing?

cheers

[dave420]

It would probably be quicker to include the MD5'd ID in the database, if you're going to search it via MD5.  Otherwise your DB will have to hash and compare each of the IDs as it searches, which is going to be slower than just comparing strings.

 

Why are you hashing the user IDs?

[discomatt]

I don't quite understand the point of md5'ing the ID. Seems redundant to me.

[deadonarrival]

Rot13

(Note, don't actually do this. Just me being a retard)

 

There's no real reason to hash something using a 2-way algorithm, if you can undo it, so can someone else... entirely what you're trying to avoid.

[redarrow]

you dont need to md5 or hash the id in the database just base64_encode it

 

it good enough for any normall user mate........

 

 

<?php
$redarrow=123456;

$res1=base64_encode($redarrow);
echo " encoded $res1 <br>";

$res2=base64_decode($res1);

echo " <br> decoded $res2 <br>";
?>

[deadonarrival]

I wouldn't use it for a password, but to avoid plaintext storage it's okay. Hardly secure, but better than nothing.

 

I'd suggest salting being a good idea still. A six digit random number, for example

[deadonarrival]

But still, I'd rather take sha512 - whether it's part of PHP or not - over md5. I couldn't decrypt it, nor crack it - but then I'm not in the habit of finding rainbow tables etc. I did stumble upon a site that had a lot more hashes than I was expecting. Looked like google, and it had the hash for what I consider to be a very strong  password. Fair enough with salting it's more secure, but I'll still leave MD5 alone. Too many people too intent on finding every possible hash for my liking.

 

Just found this topic, looks good at face value.

http://www.phpfreaks.com/forums/index.php/topic,186699.0.html

 

Sha1 and md5 are fine for now, but to be as future-proof as possible, I'd take others first.

[discomatt]

If someone really wants to, they can just as easily build a rainbow table for sha512. It will be 4x larger in size, but with TB hard drives in the $250 range, that's no longer an issue.

 

That's the thing about rainbow tables... the bit length really doesn't matter. Security through obscurity will be broken.

 

Finding the original plain text of a well salted md5 is harder than a pure-sha512 hash, assuming both rainbow talbes are available

 

(i'm no longer in the underground scene, but it really would surprise me if there was one available for sha512)

[Naez]

<?php
function hash_password($password)
{
$salt = "m2cCksLreG12";
$pass = $password;
for ($i=0; $i < 10; $i++){
	$pass = sha1(md5($pass . $salt));
}
return $pass;
}

echo hash_password("supersecret");   // a3400f8e72116cba59ab23bd1974b565a31e13b9
?>

[discomatt]

I'd recommend a random salt, stored with the password.

 

A static salt can be found easily if multiple hashes become compromised.