Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

PHP Login Script, Why MD5 Hash?

MS
Guest
  
Posts: n/a
#1: Nov 11 '07
Hi,

I'm writing a PHP login script for a web site. I've looked at several
examples on the web and some of them use MD5 hashes for the password. They
do this in various ways.

EG.

a) Storing a MD5 hash of the original password in the database (in the
password field), and then comparing the MD5 hash of the user entered
password against that storied in the database.

b) Storing the password in the database, then comparing the MD5 hash of
that against a MD5 hash of the user entered password.

Mine currently uses no MD5 hashes at all. Here is a snippet:

Note: The 'username' field in the 'member' table of the db is unique so
the use of a valid username and password should return exactly one row.

$sql = "SELECT * FROM member WHERE username =
'$user' AND password = '$pass'";

$result = mysql_query($sql) or MyDie("Error: ".mysql_error());

// Determine how many records are in the results
$numRowsReturned = mysql_num_rows($result);

So if $numRowsReturned == 1 the user gains entry, otherwise not.

I'm new to this so am wondering if there is some sensible security reason
that MD5 hashes are being used, otherwise I completely fail to see why
anyone is using them at all.

Can someone explain this to me please and let me know why -if at all- I
should be using MD5? If I should does it make any difference whether I use
MySQL's MD5 function on PHP's MD5 function, just in case there is a
security issue with that as well.

Many thanks and regards, etc..

ZeldorBlat
Guest
  
Posts: n/a
#2: Nov 11 '07

re: PHP Login Script, Why MD5 Hash?

On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
Quote:
Hi,
>
I'm writing a PHP login script for a web site. I've looked at several
examples on the web and some of them use MD5 hashes for the password. They
do this in various ways.
>
EG.
>
a) Storing a MD5 hash of the original password in the database (in the
password field), and then comparing the MD5 hash of the user entered
password against that storied in the database.
>
b) Storing the password in the database, then comparing the MD5 hash of
that against a MD5 hash of the user entered password.
>
Mine currently uses no MD5 hashes at all. Here is a snippet:
>
Note: The 'username' field in the 'member' table of the db is unique so
the use of a valid username and password should return exactly one row.
>
$sql = "SELECT * FROM member WHERE username =
'$user' AND password = '$pass'";
>
$result = mysql_query($sql) or MyDie("Error: ".mysql_error());
>
// Determine how many records are in the results
$numRowsReturned = mysql_num_rows($result);
>
So if $numRowsReturned == 1 the user gains entry, otherwise not.
>
I'm new to this so am wondering if there is some sensible security reason
that MD5 hashes are being used, otherwise I completely fail to see why
anyone is using them at all.
>
Can someone explain this to me please and let me know why -if at all- I
should be using MD5? If I should does it make any difference whether I use
MySQL's MD5 function on PHP's MD5 function, just in case there is a
security issue with that as well.
>
Many thanks and regards, etc..
The idea of hashing the passwords is to avoid storing or transmitting
the actual password.

If you store the hash of the password in the database, someone with
access to the database won't be able to see the password. If you hash
the password on the client side (e.g. with Javascript) before
transmitting it, anyone who intercepts the transmission won't be able
to see the password.

While it does enhance security, it isn't fool-proof. For instance, if
you hash the password client-side before transmitting it, anyone who
intercepts the transmission can simply transmit the hash instead. You
could also argue that anyone with direct access to the database could
bypass the security implemented in the application.

If you're really concerned about security, I would store the passwords
as a hash, transmit the actual password when logging in, and use SSL
so the whole thing is encrypted.

As for using PHP's function or MySQL's function it makes no
difference. They both implement the same hash algorithm so you will
get the same answer from both for some given input. These algorithms
wouldn't be of much use if everyone did them differently.
MS
Guest
  
Posts: n/a
#3: Nov 11 '07

re: PHP Login Script, Why MD5 Hash?

ZeldorBlat emailed this:
Quote:
On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
Quote:
>Hi,
>>
>I'm writing a PHP login script for a web site. I've looked at several
>examples on the web and some of them use MD5 hashes for the password. They
>do this in various ways.
>>
>EG.
>>
>a) Storing a MD5 hash of the original password in the database (in the
>password field), and then comparing the MD5 hash of the user entered
>password against that storied in the database.
>>
>b) Storing the password in the database, then comparing the MD5 hash of
>that against a MD5 hash of the user entered password.
>>
>Mine currently uses no MD5 hashes at all. Here is a snippet:
>>
>Note: The 'username' field in the 'member' table of the db is unique so
>the use of a valid username and password should return exactly one row.
>>
>$sql = "SELECT * FROM member WHERE username =
>'$user' AND password = '$pass'";
>>
>$result = mysql_query($sql) or MyDie("Error: ".mysql_error());
>>
>// Determine how many records are in the results
>$numRowsReturned = mysql_num_rows($result);
>>
>So if $numRowsReturned == 1 the user gains entry, otherwise not.
>>
>I'm new to this so am wondering if there is some sensible security reason
>that MD5 hashes are being used, otherwise I completely fail to see why
>anyone is using them at all.
>>
>Can someone explain this to me please and let me know why -if at all- I
>should be using MD5? If I should does it make any difference whether I use
>MySQL's MD5 function on PHP's MD5 function, just in case there is a
>security issue with that as well.
>>
>Many thanks and regards, etc..
>
The idea of hashing the passwords is to avoid storing or transmitting
the actual password.
>
If you store the hash of the password in the database, someone with
access to the database won't be able to see the password. If you hash
the password on the client side (e.g. with Javascript) before
transmitting it, anyone who intercepts the transmission won't be able
to see the password.
>
While it does enhance security, it isn't fool-proof. For instance, if
you hash the password client-side before transmitting it, anyone who
intercepts the transmission can simply transmit the hash instead. You
could also argue that anyone with direct access to the database could
bypass the security implemented in the application.
>
If you're really concerned about security, I would store the passwords
as a hash, transmit the actual password when logging in, and use SSL
so the whole thing is encrypted.
>
As for using PHP's function or MySQL's function it makes no
difference. They both implement the same hash algorithm so you will
get the same answer from both for some given input. These algorithms
wouldn't be of much use if everyone did them differently.
Many thanks for the informative and helpful explanation. I'll do exactly
as you suggest. As for the PHP and MySQL implementation of MD5, I realized
that they implement the same algorithm but just wondered whether it was
better to do the MD5 hash of the table data from within MySQL as a
security precaution.

Thanks again.
C. (http://symcbean.blogspot.com/)
Guest
  
Posts: n/a
#4: Nov 12 '07

re: PHP Login Script, Why MD5 Hash?

On 11 Nov, 17:48, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
Quote:
ZeldorBlat emailed this:
>
>
>
Quote:
On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
Quote:
Hi,
>
Quote:
Quote:
I'm writing a PHP login script for a web site. I've looked at several
examples on the web and some of them use MD5 hashes for the password. They
do this in various ways.
>
Quote:
Quote:
EG.
>
Quote:
Quote:
a) Storing a MD5 hash of the original password in the database (in the
password field), and then comparing the MD5 hash of the user entered
password against that storied in the database.
>
Quote:
Quote:
b) Storing the password in the database, then comparing the MD5 hash of
that against a MD5 hash of the user entered password.
>
Quote:
Quote:
Mine currently uses no MD5 hashes at all. Here is a snippet:
>
Quote:
Quote:
Note: The 'username' field in the 'member' table of the db is unique so
the use of a valid username and password should return exactly one row.
>
Quote:
Quote:
$sql = "SELECT * FROM member WHERE username =
'$user' AND password = '$pass'";
>
Quote:
Quote:
$result = mysql_query($sql) or MyDie("Error: ".mysql_error());
>
Quote:
Quote:
// Determine how many records are in the results
$numRowsReturned = mysql_num_rows($result);
>
Quote:
Quote:
So if $numRowsReturned == 1 the user gains entry, otherwise not.
>
Quote:
Quote:
I'm new to this so am wondering if there is some sensible security reason
that MD5 hashes are being used, otherwise I completely fail to see why
anyone is using them at all.
>
Quote:
Quote:
Can someone explain this to me please and let me know why -if at all- I
should be using MD5? If I should does it make any difference whether I use
MySQL's MD5 function on PHP's MD5 function, just in case there is a
security issue with that as well.
>
Quote:
Quote:
Many thanks and regards, etc..
>
Quote:
The idea of hashing the passwords is to avoid storing or transmitting
the actual password.
>
Quote:
If you store the hash of the password in the database, someone with
access to the database won't be able to see the password. If you hash
the password on the client side (e.g. with Javascript) before
transmitting it, anyone who intercepts the transmission won't be able
to see the password.
>
Quote:
While it does enhance security, it isn't fool-proof. For instance, if
you hash the password client-side before transmitting it, anyone who
intercepts the transmission can simply transmit the hash instead. You
could also argue that anyone with direct access to the database could
bypass the security implemented in the application.
>
Quote:
If you're really concerned about security, I would store the passwords
as a hash, transmit the actual password when logging in, and use SSL
so the whole thing is encrypted.
>
Quote:
As for using PHP's function or MySQL's function it makes no
difference. They both implement the same hash algorithm so you will
get the same answer from both for some given input. These algorithms
wouldn't be of much use if everyone did them differently.
>
Many thanks for the informative and helpful explanation. I'll do exactly
as you suggest. As for the PHP and MySQL implementation of MD5, I realized
that they implement the same algorithm but just wondered whether it was
better to do the MD5 hash of the table data from within MySQL as a
security precaution.
>
Thanks again.
See this thread:

http://groups.google.co.uk/group/com...gst&q=MD5+salt

C.
Michael Fesser
Guest
  
Posts: n/a
#5: Nov 14 '07

re: PHP Login Script, Why MD5 Hash?

..oO(ZeldorBlat)
Quote:
>If you're really concerned about security, I would store the passwords
>as a hash, transmit the actual password when logging in, and use SSL
>so the whole thing is encrypted.
To further improve the security the passwords should be stored as salted
hashes. Without a salt the same password will lead to the same hash,
which should be avoided.

Micha
Closed Thread

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,471 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved