Posted by MS on 11/11/07 17:48

ZeldorBlat emailed this:
> On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.com> wrote:
>> Hi,
>>
>> I'm writing a PHP login script for a web site. I've looked at several
>> examples on the web and some of them use MD5 hashes for the password. They
>> do this in various ways.
>>
>> EG.
>>
>> a) Storing a MD5 hash of the original password in the database (in the
>> password field), and then comparing the MD5 hash of the user entered
>> password against that storied in the database.
>>
>> b) Storing the password in the database, then comparing the MD5 hash of
>> that against a MD5 hash of the user entered password.
>>
>> Mine currently uses no MD5 hashes at all. Here is a snippet:
>>
>> Note: The 'username' field in the 'member' table of the db is unique so
>> the use of a valid username and password should return exactly one row.
>>
>> $sql = "SELECT * FROM member WHERE username =
>> '$user' AND password = '$pass'";
>>
>> $result = mysql_query($sql) or MyDie("Error: ".mysql_error());
>>
>> // Determine how many records are in the results
>> $numRowsReturned = mysql_num_rows($result);
>>
>> So if $numRowsReturned == 1 the user gains entry, otherwise not.
>>
>> I'm new to this so am wondering if there is some sensible security reason
>> that MD5 hashes are being used, otherwise I completely fail to see why
>> anyone is using them at all.
>>
>> Can someone explain this to me please and let me know why -if at all- I
>> should be using MD5? If I should does it make any difference whether I use
>> MySQL's MD5 function on PHP's MD5 function, just in case there is a
>> security issue with that as well.
>>
>> Many thanks and regards, etc..
>
> The idea of hashing the passwords is to avoid storing or transmitting
> the actual password.
>
> If you store the hash of the password in the database, someone with
> access to the database won't be able to see the password. If you hash
> the password on the client side (e.g. with Javascript) before
> transmitting it, anyone who intercepts the transmission won't be able
> to see the password.
>
> While it does enhance security, it isn't fool-proof. For instance, if
> you hash the password client-side before transmitting it, anyone who
> intercepts the transmission can simply transmit the hash instead. You
> could also argue that anyone with direct access to the database could
> bypass the security implemented in the application.
>
> If you're really concerned about security, I would store the passwords
> as a hash, transmit the actual password when logging in, and use SSL
> so the whole thing is encrypted.
>
> As for using PHP's function or MySQL's function it makes no
> difference. They both implement the same hash algorithm so you will
> get the same answer from both for some given input. These algorithms
> wouldn't be of much use if everyone did them differently.

Many thanks for the informative and helpful explanation. I'll do exactly
as you suggest. As for the PHP and MySQL implementation of MD5, I realized
that they implement the same algorithm but just wondered whether it was
better to do the MD5 hash of the table data from within MySQL as a
security precaution.

Thanks again.

[Back to original message]