Posted by C. (http://symcbean.blogspot.com/) on 11/12/07 17:30

On 11 Nov, 17:48, MS <No.Way.J...@No.Spam.Thank.You.com> wrote:
> ZeldorBlat emailed this:
>
>
>
> > On Nov 11, 12:12 pm, MS <No.Way.J...@No.Spam.Thank.You.com> wrote:
> >> Hi,
>
> >> I'm writing a PHP login script for a web site. I've looked at several
> >> examples on the web and some of them use MD5 hashes for the password. They
> >> do this in various ways.
>
> >> EG.
>
> >> a) Storing a MD5 hash of the original password in the database (in the
> >> password field), and then comparing the MD5 hash of the user entered
> >> password against that storied in the database.
>
> >> b) Storing the password in the database, then comparing the MD5 hash of
> >> that against a MD5 hash of the user entered password.
>
> >> Mine currently uses no MD5 hashes at all. Here is a snippet:
>
> >> Note: The 'username' field in the 'member' table of the db is unique so
> >> the use of a valid username and password should return exactly one row.
>
> >> $sql = "SELECT * FROM member WHERE username =
> >> '$user' AND password = '$pass'";
>
> >> $result = mysql_query($sql) or MyDie("Error: ".mysql_error());
>
> >> // Determine how many records are in the results
> >> $numRowsReturned = mysql_num_rows($result);
>
> >> So if $numRowsReturned == 1 the user gains entry, otherwise not.
>
> >> I'm new to this so am wondering if there is some sensible security reason
> >> that MD5 hashes are being used, otherwise I completely fail to see why
> >> anyone is using them at all.
>
> >> Can someone explain this to me please and let me know why -if at all- I
> >> should be using MD5? If I should does it make any difference whether I use
> >> MySQL's MD5 function on PHP's MD5 function, just in case there is a
> >> security issue with that as well.
>
> >> Many thanks and regards, etc..
>
> > The idea of hashing the passwords is to avoid storing or transmitting
> > the actual password.
>
> > If you store the hash of the password in the database, someone with
> > access to the database won't be able to see the password. If you hash
> > the password on the client side (e.g. with Javascript) before
> > transmitting it, anyone who intercepts the transmission won't be able
> > to see the password.
>
> > While it does enhance security, it isn't fool-proof. For instance, if
> > you hash the password client-side before transmitting it, anyone who
> > intercepts the transmission can simply transmit the hash instead. You
> > could also argue that anyone with direct access to the database could
> > bypass the security implemented in the application.
>
> > If you're really concerned about security, I would store the passwords
> > as a hash, transmit the actual password when logging in, and use SSL
> > so the whole thing is encrypted.
>
> > As for using PHP's function or MySQL's function it makes no
> > difference. They both implement the same hash algorithm so you will
> > get the same answer from both for some given input. These algorithms
> > wouldn't be of much use if everyone did them differently.
>
> Many thanks for the informative and helpful explanation. I'll do exactly
> as you suggest. As for the PHP and MySQL implementation of MD5, I realized
> that they implement the same algorithm but just wondered whether it was
> better to do the MD5 hash of the table data from within MySQL as a
> security precaution.
>
> Thanks again.

See this thread:

http://groups.google.co.uk/group/comp.lang.php/browse_thread/thread/c5960aa0afac2621/4993d290eb78f811?hl=en&lnk=gst&q=MD5+salt

C.

[Back to original message]