MD5 mismatch

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cj2000
Forum Newbie
Posts: 7
Joined: Wed Jul 23, 2003 8:01 am

MD5 mismatch

Post by cj2000 »

Hi All,

I have been trying to solve . this problem for days but I am at a loss of what went wrong.

Basic:

I have created a basic authentication page. All the username and passwords (MD5) are stored in a .txt file. Included in the php is an option to allow me to add users (username and password).

After I have added a username and the password, I couldn't login. I am absolutely sure that both the login and passwords are the same. After much debugging, I found out that i get 2 different MD5's for the same password.

e.g. for lyc -> efa664720fac0075674862b40d490830 & d41d8cd98f00b204e9800998ecf8427e

Attached below is my code, please kindly advise:

Code: Select all

<?php
$password_file="/var/www/pwd/pwd.txt";
function check_pass($login,$password)&#123;
	global $password_file;
	global $match;
	global $name;
	if(!$fh=fopen($password_file,"r"))&#123;
		die("<p>Could Not Open Password File");
	&#125;
	$match=0;
	$name=0;
	$password=md5($password);
	while(!feof($fh))&#123;
		$line=fgets($fh,4096);
		$user_pass=explode(":",$line);
		if($user_pass&#1111;0]==$login)&#123;
			echo $login;
			echo $password;
			echo $user_pass&#1111;0];
			echo $user_pass&#1111;1];
			if(rtrim($user_pass&#1111;1])==$password)&#123;
				$match=1;
				break;
			&#125;
		&#125;
	&#125;
	if($match)&#123;
		return 1;
	&#125; else &#123;
		return 0;
	&#125;
	fclose($fh);
&#125;

function print_login_form($login)&#123;
	?>
	<p>Please Login In:
	<form action=authentication.php method=post>
	<p>Login: <input type="text" name="login" value="<?=$login?>">
	<br>Password: <input type="password" name="password">
	<br><input type="submit" name="checkpass" value="Login!">
	</form>
	<?php
&#125;

function print_add_form()&#123;
?>
<p> Add New User:
<form action=authentication.php method=post>
<p>Login:<input type="text" name="adduser">
<br>Password:<input type="password" name="addpass">
<br><input type="submit" name="add" value="Add User!">
</form>
<?php
&#125;

function add_user($adduser,$addpass)&#123;
	global $password_file;
	if(!$fh=fopen($password_file,"a+"))&#123;
		die("<p>Could Not Open Password File");
	&#125;
	rewind($fh);
	while(!feof($fh))&#123;
		$line=fgets($fh,4096);
		$user_pass=explode(":",$line);
		if($user_pass&#1111;0]==$adduser)&#123;
			echo "<h2>Duplicate Login. Invalid!</h2>";
			return 0;
		&#125;
	&#125;
	$add=$adduser.":".md5($addpass)."\n";
	if(!fwrite($fh,$add))&#123;
		die("<p>Could Not Open Password File");
	&#125;
	fclose($fh);
	echo"<h2>User Added!</h2>";
&#125;

$login=$_POST&#1111;'login'];
$password=$_POST&#1111;'password'];
$checkpass=$_POST&#1111;'checkpass'];
$adduser=$_POST&#1111;'adduser'];
$addpass=$_POST&#1111;'addpass'];
$add=$_POST&#1111;'add'];
$add_form=$_GET&#1111;'add_form'];
if(isset($checkpass))&#123;
	if(check_pass($login,$password))&#123;
		echo "<h2>Login Success!!</h2>";
	&#125;else&#123;
		echo "<h2>Login Failed</h2>";
		print_login_form($login);
	&#125;	
&#125; elseif(isset($add_form))&#123;
	print_add_form();
&#125; elseif(isset($add))&#123;
	add_user($adduser,$add_pass);
&#125; else&#123;
	print_login_form("");
&#125;

?>

<p>You can <a href=authentication.php?add_form=1>Add Users</a> or <a href=authentication.php>login</a> an existing user.
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

The first hash is the correct one. Do you know what bit of code generated the second md5() (mysql, php)?
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I'm not sure if this is a typo in your post or is in your real code, but

Code: Select all

$addpass=$_POST['addpass'];
...
} elseif(isset($add)){ 
   add_user($adduser,$add_pass);
Note that the function call uses a the underscore, thus every password will be empty and then hashed to a non trivial value.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Confirmed, empty string is your problem:

Code: Select all

<?php
echo md5("");
?>
yields

Code: Select all

d41d8cd98f00b204e9800998ecf8427e
which matches your second/"bad" hash.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

...

Post by kettle_drum »

It works if you change your print_login_form($login) to the following:

Code: Select all

<?php

function print_login_form($login){
   ?>
   <p>Please Login In:
   <form action=authentication.php method=post>
   <p>Login: <input type="text" name="login" value="<?php echo $login; ?>">
   <br>Password: <input type="password" name="password">
   <br><input type="submit" name="checkpass" value="Login!">
   </form>
   <?php
}

?>
I.e. change the value of the Login text box so that php echo's the var.
cj2000
Forum Newbie
Posts: 7
Joined: Wed Jul 23, 2003 8:01 am

login form submits a null value i.e. ""

Post by cj2000 »

Thanks guys,

I did a little test and yes...the bad hash is due to a null value.

I also found out that the null value is due to the adduser form. No matter how I try, its still submits a null value.

Please kindly help.

Thanks
cj2000
Forum Newbie
Posts: 7
Joined: Wed Jul 23, 2003 8:01 am

Post by cj2000 »

I have ,sort of, solved the problem of the a null value being passed when adding a password. What i did was to shift the "$addpass=$_POST['addpass'];" statement from the main into the add_user function. Resulting in the following:

Code: Select all

function add_user($adduser,$addpass)&#123;
	global $password_file;
	if(!$fh=fopen($password_file,"a+"))&#123;
		die("<p>Could Not Open Password File");
	&#125;
	rewind($fh);
	while(!feof($fh))&#123;
		$line=fgets($fh,4096);
		$user_pass=explode(":",$line);
		if($user_pass&#1111;0]==$adduser)&#123;
			echo "<h2>Duplicate Login. Invalid!</h2>";
			return 0;
		&#125;
	&#125;
	$addpass=$_POST&#1111;'addpass'];
	$addpass=md5($addpass);
	$add=$adduser.":".$addpass."\n";
	if(!fwrite($fh,$add))&#123;
		die("<p>Could Not Open Password File");
	&#125;
	fclose($fh);
	echo"<h2>User Added!</h2>";
&#125;
Im still not sure why it works but I have a few question though

(1) Why did it work only when I call the $addpass in the function and not in the main? There is also a similar variable ($adduser) which is called in the main. But $adduser worked perfectly fine but not $addpass.

(2) Since I only called $addpass in the function add_user, does that mean that actually $adduser was not passed into the function when it was called?? (add_user($adduser,$addpass)). If it was not passed, why wasnt an error generated. If it was passed, then what was passed??

erm..I hope you guys undestand my questions.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Did you try changing:

Code: Select all

} elseif(isset($add)){ 
   add_user($adduser,$add_pass);
to

Code: Select all

} elseif(isset($add)){ 
   add_user($adduser,$addpass);
That should fix it.
Post Reply