Hi:
I have a problem:
I've a page that sends an encrypted password, using MD5, to a PHP
file, which is able to compare such MD5 encrypted password with an
encryption stored on a data base. But the encryption way, on mD5, on
JavaScript and PHP doesn't return the same value.
My questions are:
1. Aren't these methods the same? I mean, the implementation on
JavaScript and the implementation on PHP.
2. I could fix this by calling my .js file on my .php file. How can I
do this?
3. Does anyone know about an encryption method that return the same
value, on JavaScript and PHP?
Thank's a lot.
Alejo. 11 2159
Amilcar wrote: Hi:
I have a problem: I've a page that sends an encrypted password, using MD5, to a PHP file, which is able to compare such MD5 encrypted password with an encryption stored on a data base. But the encryption way, on mD5, on JavaScript and PHP doesn't return the same value. My questions are: 1. Aren't these methods the same? I mean, the implementation on JavaScript and the implementation on PHP.
2. I could fix this by calling my .js file on my .php file. How can I do this?
3. Does anyone know about an encryption method that return the same value, on JavaScript and PHP?
Thank's a lot.
Alejo.
Mmmmm what a heavenly way to make a site totally inaccessable to users
without javascript, and I could respond to points in question but as I
wouldn't call myself one of the best "programmer s" I wont, and this news
group is public, putting subject lines like that is only going to make
you look bad IMHO.
~Cameron
Amilcar wrote: 1. Aren't these methods the same? I mean, the implementation on JavaScript and the implementation on PHP.
The algorithm is standard, RFC 1321, but the implementations may vary.
2. I could fix this by calling my .js file on my .php file. How can I do this?
You can't.
3. Does anyone know about an encryption method that return the same value, on JavaScript and PHP?
MD5 should - but remember it's not "an encryption method", it's a
one-way hash. Minor technicality ;-)
First off, work out where the error lies. At the end of the RFC are
some test values. Run these values through both JS and PHP and see
which one doesn't give you the correct value. If they both give you the
correct value (just a simple print(md5($valu e))) then it's something
else in your code broken.
MD5 ("") = d41d8cd98f00b20 4e9800998ecf842 7e
MD5 ("a") = 0cc175b9c0f1b6a 831c399e2697726 61
MD5 ("abc") = 900150983cd24fb 0d6963f7d28e17f 72
MD5 ("message digest") = f96b697d7cb7938 d525a2f31aaf161 d0
MD5 ("abcdefghijklm nopqrstuvwxyz") = c3fcd3d76192e40 07dfb496cca67e1 3b
MD5 ("ABCDEFGHIJKLM NOPQRSTUVWXYZab cdefghijklmnopq rstuvwxyz012345 6789") =
d174ab98d277d9f 5a5611c2c9f419d 9f
MD5 ("1234567890123 456789012345678 901234567890123 456789012345678 90123456
78901234567890" ) = 57edf4a22be3c95 5ac49da2e2107b6 7a
Cheers,
Andy
Cameron wrote: Mmmmm what a heavenly way to make a site totally inaccessable to users without javascript, and I could respond to points in question but as I wouldn't call myself one of the best "programmer s" I wont, and this news group is public, putting subject lines like that is only going to make you look bad IMHO.
Dammit - given that I've just responded, does that look egotistical. If
so, I take it back. AMILCAR DON'T USE THE INFORMATION I PROVIDED, I
HAVE WITHDRAWN IT.
;-)
Cheers,
Andy
Andy Jeffries wrote: Cameron wrote:
Mmmmm what a heavenly way to make a site totally inaccessable to users without javascript, and I could respond to points in question but as I wouldn't call myself one of the best "programmer s" I wont, and this news group is public, putting subject lines like that is only going to make you look bad IMHO.
Dammit - given that I've just responded, does that look egotistical. If so, I take it back. AMILCAR DON'T USE THE INFORMATION I PROVIDED, I HAVE WITHDRAWN IT.
;-)
Cheers,
Andy
lol, nah just stick to, I thought the subject line was insulting so I
replied anyway ;)
~Cameron
Amilcar wrote: I've a page that sends an encrypted password, using MD5, to a PHP file, which is able to compare such MD5 encrypted password with an encryption stored on a data base. But the encryption way, on mD5, on JavaScript and PHP doesn't return the same value. My questions are: 1. Aren't these methods the same? I mean, the implementation on JavaScript and the implementation on PHP.
I guess (at least) one of the implementations is not doing it according
to the specifications.
RFC1321 ( @ http://www.faqs.org/rfcs/rfc1321.html ) has a few test cases
along with an implementation in C.
2. I could fix this by calling my .js file on my .php file. How can I do this?
hehe, in all the tests I did, the PHP implementation has never left me
down :)
Get a working JS implementation and let the browser use that one.
Have the server use PHP's implementation.
3. Does anyone know about an encryption method that return the same value, on JavaScript and PHP?
You might want to check this page for a JavaScript MD5 implementation: http://pajhome.org.uk/crypt/md5/index.html
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--
I see a problem with your security scheme that makes the md5 hash almost
irrelevant. However, I can think of 5 programmers off the top of my
head who are better than me, so I guess I can't help you.
Amilcar wrote: I've a page that sends an encrypted password, using MD5, to a PHP file, which is able to compare such MD5 encrypted password with an encryption stored on a data base. But the encryption way, on mD5, on JavaScript and PHP doesn't return the same value. My questions are: 1. Aren't these methods the same? I mean, the implementation on JavaScript and the implementation on PHP.
2. I could fix this by calling my .js file on my .php file. How can I do this?
3. Does anyone know about an encryption method that return the same value, on JavaScript and PHP?
Yeah, ego thing aside, I just tested a Javascript (IE6/Win98) md5 hash and a PHP
one. They both came out the same (though it's quite possible different browsers
will implement it differently). Before you think too hard about solutions, I'd
make sure you're using the same text for both. Make sure something stupid is
not going on, like unintentional backslashes in the text or sending "Array()"
instead of an array element or any of the common errors that you might be
overlooking.
Once you figure out what's wrong and how to fix it, you might want to reconsider
using Javascript :o)
Shawn
--
Shawn Wilson sh***@glassgian t.com http://www.glassgiant.com
Who knows? Perhaps he's using a random challenge value. Then again, if I can
see the plaintext traffic then I can just steal the cookie and hijack the
session. All in all it's pretty pointless.
Uzytkownik "Bruce Lewis" <br*****@yahoo. com> napisal w wiadomosci
news:nm******** *****@mass-toolpike.mit.ed u... I see a problem with your security scheme that makes the md5 hash almost irrelevant. However, I can think of 5 programmers off the top of my head who are better than me, so I guess I can't help you. I've a page that sends an encrypted password, using MD5, to a PHP file, which is able to compare such MD5 encrypted password with an encryption stored on a data base.
So basically you have a db of hashed passwords, and not like most
password auth stuff that's used on most webpages, you want to hash
the password -before- it's sent to the server, right?
JavaScript and PHP doesn't return the same value.
This is due to how it's implemented. If you use the md5-function
of PHP, that will yield the correct result. So the problem surely
lies in the javascript. So check it for errors.
1. Aren't these methods the same? I mean, the implementation on JavaScript and the implementation on PHP.
MD5 is an algorithm, a one-way hash function. It's standarized,
so what's wrong here is it's implementation, probably in the js.
2. I could fix this by calling my .js file on my .php file. How can I do this?
I'm not sure I know what you are talking about, but if you mean using
the algorithm used in your js in the execution of your php-script, then
the answer is no. It's not possible. And it wouldn't be a fix. It would
most probably mean that you'd be using a broken algorithm, since I'm
pretty convinced that it's your js algo and not the php md5 fu that's
broke here. (You are using the php md5 fu, and not your own fu, right?!)
3. Does anyone know about an encryption method that return the same value, on JavaScript and PHP?
Yes. All of them, if they are implemented correctly. You problem is that
the client side (js) and the server side (php) algorithms aren't doing
the same, and as I've said a few times now, most probably the js.
But I'm not sure if you need to hash the password on the client side.
Or, actually, I know you don't, since it doesn't add security. See, I
bet you want to hash the password before you send it, to hide it from
being sniffed by someone, somewhere. But if you send the md5 hash of the
pwd, then the hash becomes the pwd as far as the server is conserned.
So if someone sniff the md5 hash of the pwd, they can use it at a later
time as the password.
The reason you want to hash the password in the first place, is to
protect it from being retrieved from the server by a hacker, and then
used by that hacker later. The security lies in that the user knows the
password, and the server knows it's md5 hash. So if anyone gets hold of
the md5 hash, it's totally useless, since you cant feed it to the server.
The server would hash it, and compare it, and the hash of the hash, would
not match the hash (of the password) of course.
So hasing the password -before- you send it to the server, would greatly
lower the security of your system.
I can only see one good reason to hash the password before you send it,
and that is to protect the password itself. What you'd need to do then,
is to hash it (with js) before you send it, and then hash it again at the
server. So what the server is having stored, and is doing it's compares
against, is a hash og the hash of the password. But as I said earlier,
this would not stop anyone from sniffing the (hash of the) password, and
using it later towards the server. It would only prohibit the sniffer of
knowing what your original pass phrase was. Which, of course, could have
some value of its own.
A better way of achieving what I suspect you want, is to use an encrypted
channel between the client and the host, using SSL (https://). This is
a whole other ballgame though...
Thank's a lot.
Your welcome :-)
--
Fred H
void FredH::Contact( ) {
TextToSpeach.sa y("frode at age dee dee dot en oh");
} This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: DrUg13 |
last post by:
In java, this seems so easy. You need a new object
Object test = new Object() gives me exactly what I want.
could someone please help me understand the different ways to do the
same thing in C++. I find my self sometimes, trying
Object app = Object();
Object *app = Object();
Object app = new Object();
|
by: johkar |
last post by:
When the output method is set to xml, even though I have CDATA around
my JavaScript, the operaters of && and < are converted to XML character
entities which causes errors in my JavaScript. I know that I could
externalize my JavaScript, but that will not be practical throughout
this application. Is there any way to get around this issue? Xalan
processor. Stripped down stylesheet below along with XHTML output.
<?xml version='1.0'?>...
|
by: Matt Kruse |
last post by:
http://www.JavascriptToolbox.com/bestpractices/
I started writing this up as a guide for some people who were looking for
general tips on how to do things the 'right way' with Javascript. Their code
was littered with document.all and eval, for example, and I wanted to create
a practical list of best practices that they could easily put to use.
The above URL is version 1.0 (draft) that resulted. IMO, it is not a
replacement for the FAQ,...
|
by: nivas.meda |
last post by:
Hi,
I have an excel sheet with a graph and cells.If i change the value in
the excel cells the graph will reflect.Now i am going to implement this
functionality in html page.I successfully saved this as interactive
html page.Now my requirement changes a bit.The excell cells will not
visible to others.i have a text box,If i change the value in text box
the excel template cell value need to change.
I did the follwing steps for creating...
|
by: optimistx |
last post by:
Which url in your opinion would be a good or even the best example of
javascript usage in a set of pages at least say 10 or more pages? How to use
css, how to split js-code to files, how to code for good
maintainability,objects, names, how to take care of older browsers, how to
optimize the coding time, etc
It might be easy to have strong opinions in the theory 'how other people
should organize their js-coding' (but I do not show mine)....
| |
by: geevaa |
last post by:
http://www.phpbuilder.com/columns/kassemi20050606.php3
XMLHttpRequest and AJAX for PHP programmers
James Kassemi
Introduction:
Although the concept isn't entirely new, XMLHttpRequest technology is
implemented on more sites now than ever. Compatibility is no longer an
issue (IE, Mozilla and Opera all support it), and the benefits to
using it are amazing. There are too many PHP programmers avoiding any
|
by: Nathan Sokalski |
last post by:
I am moving my website from my machine to my webhost, and need some help
with what extra files I need to include due to the fact that I used AJAX in
my site. Everything on the site is obviously functioning as desired when I
test it on my machine using Visual Studio 2005. From what I have determined,
the files I am forgetting are the JavaScript files from the Microsoft AJAX
Library (See "To install Microsoft AJAX Library" at the bottom of...
|
by: Steve |
last post by:
Several textbooks, including Javascript for Dummies (2005), show the
"i=++i" method of incrementing a variable. I have been using this
method but I have been recently informed by some experts in the Google
Maps API group that this method is confusing and wasteful of resources
and is now redundant and I should use "++i" or "i=i+1". Any strong
opinions in this group?
|
by: pmactdot |
last post by:
Hi,
I'm looking for some assistance on a case study...I have two arrays <head>: one for daily special dish name, second for the daily dish description, then I have two document.write: a daily special dish name <dt>, second to write the daily dish description <dd>. DishName works, just can't figure out the description. The <body> code was provided, I only need to get (and understand) the two arrays and two document.write scripts working. I've...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |