Forum Moderators: coopster
I've got a annoying problem using md5. Now I confess I'm a newbie when it comes to these sort of things, but hopefully someone can help me out.
What I've got is doing some work for someone, and they have been using md5 for their encrypted passwords.
Now what I've done is created a user front end so that you can add new users. But I've used md5 to create a encrypted password because they use md5 to compare the password the user has typed in.
Now this works, see code.
mysql_query("insert into tablename(ID,Email,Password) values ($DBID,'$email','".md5('$pass2')."')");
However when it comes to comparing them it doesn't.
This is the code to compare.
$strQuery = "select Password, ID from tablename where Email='{$_POST['strUsername']}'";
$resResult = mysql_query($strQuery);
$arrResult = mysql_fetch_array($resResult);
// doesn't seem to like this
if ($arrResult['Password'] == md5($_POST['strPassword']))
{
// We're in!
$_SESSION['ID'] = $arrResult['ID'];
Header("Location: update_indiv.php");
}
Now I've echoed the password from the DB and the password the user has typed and there are completely different.
Any ideas, will be much appreciated.
Thanks
Woldie
$strQuery = "select Password, ID from tablename where Email='{$_POST['strUsername']}'";
Instead of this, just do:
$strQuery = "select ID from tablename where Email='{$_POST['strUsername']}' AND Password='{$_POST['strPassword']}'";
Then if no rows are returned either the account doesn't exist or the password is incorrect. Its more secure to give this response than to give a response telling the user which is the case anyway. Helps prevent hackers from getting a user list through repeated queries.
Not quite sure that will solve my problem.
If I insert a new password into the DB using md5 whatever I type in, the encrypted code is the same.
Any ideas?
Is it possible that the original system was basing the MD5 on the UPPERCASE version of the password?
By storing and comparing against the MD5 of ucase($password) you make the system case insensative and this is often a desirable feature in such systems.
The code above looks fine - and you say that an MD5 created by you and stored in the database is also fine, so there has to be something more fundamental going on.
Another possibility is that the system was MD5'ing against the concatenation of the password and a secret token, which would help protect against a dictionary attack.
Strange because when I create a new password using md5, its the same encrypted message.
I've tried uppercase, but no joy.
There is something more going on.
Thanks anyway.
- password
- what you are calculating the md5() as
- what the legacy database has the md5() as
(i'm assuming that you have at least one example of a known password and what is stored in the database)
You wouldn't believe what I did, I used single quotes in the insert query, so no matter what password I created it always comes up with same encrypted password!
mysql_query("insert into tablename(ID,Email,Password)
values ($ID,'$email','".md5($pass2)."')");
That was the crux of the problem!
Nice!
