Hi,
I'm writing a PHP login script for a web site. I've looked at several
examples on the web and some of them use MD5 hashes for the password. They
do this in various ways.
EG.
a) Storing a MD5 hash of the original password in the database (in the
password field), and then comparing the MD5 hash of the user entered
password against that storied in the database.
b) Storing the password in the database, then comparing the MD5 hash of
that against a MD5 hash of the user entered password.
Mine currently uses no MD5 hashes at all. Here is a snippet:
Note: The 'username' field in the 'member' table of the db is unique so
the use of a valid username and password should return exactly one row.
$sql = "SELECT * FROM member WHERE username =
'$user' AND password = '$pass'";
$result = mysql_query($sql) or MyDie("Error: ".mysql_error());
// Determine how many records are in the results
$numRowsReturned = mysql_num_rows($result);
So if $numRowsReturned == 1 the user gains entry, otherwise not.
I'm new to this so am wondering if there is some sensible security reason
that MD5 hashes are being used, otherwise I completely fail to see why
anyone is using them at all.
Can someone explain this to me please and let me know why -if at all- I
should be using MD5? If I should does it make any difference whether I use
MySQL's MD5 function on PHP's MD5 function, just in case there is a
security issue with that as well.
Many thanks and regards, etc..
4  3381 
On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
Hi,
I'm writing a PHP login script for a web site. I've looked at several
examples on the web and some of them use MD5 hashes for the password. They
do this in various ways.
EG.
a) Storing a MD5 hash of the original password in the database (in the
password field), and then comparing the MD5 hash of the user entered
password against that storied in the database.
b) Storing the password in the database, then comparing the MD5 hash of
that against a MD5 hash of the user entered password.
Mine currently uses no MD5 hashes at all. Here is a snippet:
Note: The 'username' field in the 'member' table of the db is unique so
the use of a valid username and password should return exactly one row.
$sql = "SELECT * FROM member WHERE username =
'$user' AND password = '$pass'";
$result = mysql_query($sql) or MyDie("Error: ".mysql_error());
// Determine how many records are in the results
$numRowsReturned = mysql_num_rows($result);
So if $numRowsReturned == 1 the user gains entry, otherwise not.
I'm new to this so am wondering if there is some sensible security reason
that MD5 hashes are being used, otherwise I completely fail to see why
anyone is using them at all.
Can someone explain this to me please and let me know why -if at all- I
should be using MD5? If I should does it make any difference whether I use
MySQL's MD5 function on PHP's MD5 function, just in case there is a
security issue with that as well.
Many thanks and regards, etc..
The idea of hashing the passwords is to avoid storing or transmitting
the actual password.
If you store the hash of the password in the database, someone with
access to the database won't be able to see the password. If you hash
the password on the client side (e.g. with Javascript) before
transmitting it, anyone who intercepts the transmission won't be able
to see the password.
While it does enhance security, it isn't fool-proof. For instance, if
you hash the password client-side before transmitting it, anyone who
intercepts the transmission can simply transmit the hash instead. You
could also argue that anyone with direct access to the database could
bypass the security implemented in the application.
If you're really concerned about security, I would store the passwords
as a hash, transmit the actual password when logging in, and use SSL
so the whole thing is encrypted.
As for using PHP's function or MySQL's function it makes no
difference. They both implement the same hash algorithm so you will
get the same answer from both for some given input. These algorithms
wouldn't be of much use if everyone did them differently.
ZeldorBlat emailed this:
On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
>Hi,
I'm writing a PHP login script for a web site. I've looked at several
examples on the web and some of them use MD5 hashes for the password. They
do this in various ways.
EG.
a) Storing a MD5 hash of the original password in the database (in the
password field), and then comparing the MD5 hash of the user entered
password against that storied in the database.
b) Storing the password in the database, then comparing the MD5 hash of
that against a MD5 hash of the user entered password.
Mine currently uses no MD5 hashes at all. Here is a snippet:
Note: The 'username' field in the 'member' table of the db is unique so
the use of a valid username and password should return exactly one row.
$sql = "SELECT * FROM member WHERE username =
'$user' AND password = '$pass'";
$result = mysql_query($sql) or MyDie("Error: ".mysql_error());
// Determine how many records are in the results
$numRowsReturned = mysql_num_rows($result);
So if $numRowsReturned == 1 the user gains entry, otherwise not.
I'm new to this so am wondering if there is some sensible security reason
that MD5 hashes are being used, otherwise I completely fail to see why
anyone is using them at all.
Can someone explain this to me please and let me know why -if at all- I
should be using MD5? If I should does it make any difference whether I use
MySQL's MD5 function on PHP's MD5 function, just in case there is a
security issue with that as well.
Many thanks and regards, etc..
The idea of hashing the passwords is to avoid storing or transmitting
the actual password.
If you store the hash of the password in the database, someone with
access to the database won't be able to see the password. If you hash
the password on the client side (e.g. with Javascript) before
transmitting it, anyone who intercepts the transmission won't be able
to see the password.
While it does enhance security, it isn't fool-proof. For instance, if
you hash the password client-side before transmitting it, anyone who
intercepts the transmission can simply transmit the hash instead. You
could also argue that anyone with direct access to the database could
bypass the security implemented in the application.
If you're really concerned about security, I would store the passwords
as a hash, transmit the actual password when logging in, and use SSL
so the whole thing is encrypted.
As for using PHP's function or MySQL's function it makes no
difference. They both implement the same hash algorithm so you will
get the same answer from both for some given input. These algorithms
wouldn't be of much use if everyone did them differently.
Many thanks for the informative and helpful explanation. I'll do exactly
as you suggest. As for the PHP and MySQL implementation of MD5, I realized
that they implement the same algorithm but just wondered whether it was
better to do the MD5 hash of the table data from within MySQL as a
security precaution.
Thanks again.
On 11 Nov, 17:48, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
ZeldorBlat emailed this:
On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.comwrote:
Hi,
I'm writing a PHP login script for a web site. I've looked at several
examples on the web and some of them use MD5 hashes for the password. They
do this in various ways.
EG.
a) Storing a MD5 hash of the original password in the database (in the
password field), and then comparing the MD5 hash of the user entered
password against that storied in the database.
b) Storing the password in the database, then comparing the MD5 hash of
that against a MD5 hash of the user entered password.
Mine currently uses no MD5 hashes at all. Here is a snippet:
Note: The 'username' field in the 'member' table of the db is unique so
the use of a valid username and password should return exactly one row.
$sql = "SELECT * FROM member WHERE username =
'$user' AND password = '$pass'";
$result = mysql_query($sql) or MyDie("Error: ".mysql_error());
// Determine how many records are in the results
$numRowsReturned = mysql_num_rows($result);
So if $numRowsReturned == 1 the user gains entry, otherwise not.
I'm new to this so am wondering if there is some sensible security reason
that MD5 hashes are being used, otherwise I completely fail to see why
anyone is using them at all.
Can someone explain this to me please and let me know why -if at all- I
should be using MD5? If I should does it make any difference whether I use
MySQL's MD5 function on PHP's MD5 function, just in case there is a
security issue with that as well.
Many thanks and regards, etc..
The idea of hashing the passwords is to avoid storing or transmitting
the actual password.
If you store the hash of the password in the database, someone with
access to the database won't be able to see the password. If you hash
the password on the client side (e.g. with Javascript) before
transmitting it, anyone who intercepts the transmission won't be able
to see the password.
While it does enhance security, it isn't fool-proof. For instance, if
you hash the password client-side before transmitting it, anyone who
intercepts the transmission can simply transmit the hash instead. You
could also argue that anyone with direct access to the database could
bypass the security implemented in the application.
If you're really concerned about security, I would store the passwords
as a hash, transmit the actual password when logging in, and use SSL
so the whole thing is encrypted.
As for using PHP's function or MySQL's function it makes no
difference. They both implement the same hash algorithm so you will
get the same answer from both for some given input. These algorithms
wouldn't be of much use if everyone did them differently.
Many thanks for the informative and helpful explanation. I'll do exactly
as you suggest. As for the PHP and MySQL implementation of MD5, I realized
that they implement the same algorithm but just wondered whether it was
better to do the MD5 hash of the table data from within MySQL as a
security precaution.
Thanks again.
See this thread: http://groups.google.co.uk/group/com...gst&q=MD5+salt
C.
..oO(ZeldorBlat)
>If you're really concerned about security, I would store the passwords
as a hash, transmit the actual password when logging in, and use SSL
so the whole thing is encrypted.
To further improve the security the passwords should be stored as salted
hashes. Without a salt the same password will lead to the same hash,
which should be avoided.
Micha This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Steve Fitzgerald |
last post by:
The below login script does work. The form does not seem to be
submitting. I keep getting the username and password fields. The only
errors I get are notices that email and password and undefined...
|
by: R. Rajesh Jeba Anbiah |
last post by:
This is regarding secure login implementation in PHP. I'm trying to
understand <http://mail.yahoo.com/> If I understand right, they're
passing the md5 hash instead of the password itself. But, I...
|
by: bryce21 |
last post by:
I'm trying to write a script that logs into Yahoo Fantasy Football.
Once logged in, I'll be able to grab stats and various other pieces of
info about our league. The problem I'm having deals with...
|
by: R. Rajesh Jeba Anbiah |
last post by:
Q: How to implement a login system?
A: Use sessions. When the user logins, store the session id in the
database and then compare the current session id with the one stored in
the database on every...
|
by: paladin.rithe |
last post by:
I'm looking to use AJAX as part of the login system for a project, but
I'm not finding what I'm looking for. I've seen the example of how to
do an AJAX login, but that isn't really what I want....
|
by: Ben |
last post by:
Hello, I'll bet this has been asked a million times but I can't seem to find
a thread that gives the clear example I need.
This PC has MySQL and IIS configured and running. The MySQL database is...
|
by: klenwell |
last post by:
Another request for comments here.
I'd like to accomplish something like the scheme outlined at this page
here:
http://tinyurl.com/3dtcdr
In a nutshell, the form uses javascript to hash...
|
by: Harris Kosmidhs |
last post by:
Hello,
while I'm developing sites for some time I never coded a login form with
security in mind.
I was wondering what guidelines there are.
For my point of view I'm thinking of using md5...
|
by: adweaver |
last post by:
Hello All,
I'm new to the world of php. I've just had a site designed for me by a company, and I'm now trying to manage and grow it, so it will suit my needs.
The site was built in a folder...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| | |
