Page 1 of 2

md5 encryption

Posted: Tue Oct 07, 2003 9:04 pm
by dmcglone
Hi all, Im trying to learn how to encrypt a password with md5 and I've built a simple form that takes a password in plain text and converts it to md5, but my problem is, if you go back to the form and try and encrypt another word, the md5 doesn't change from the previous password.

If I change echo md5('password') to echo md5('test') then I finally get a new md5 line.

otherwise, the line stays the same no matter what word you type in the password form box.

Posted: Tue Oct 07, 2003 9:32 pm
by Paddy
Not exactly sure what you are trying to do but this may give you some joy if no one else answers.

http://www.php.net/uniqid

Posted: Tue Oct 07, 2003 10:09 pm
by nigma
Yea, I am don't really understand what you mean. But if what you want to do is store a users password's md5 hash and then when a user attempts to login you check the stored password and compare it to the entered password then all you need to do is the following:

Example (Assumes you will be using the method POST in the login form):

Code: Select all

<?php
$enteredPass = $_POST['password'];
// Check to see if input was entered in the password field here
$correctPass = md5('CORRECTPASSHERE');
if (md5($enteredPass) == $correctPass)
{
  echo 'Authenticated.';
}
else
{
  echo 'Not Authenticated.';
}
?>

Posted: Wed Oct 08, 2003 5:26 am
by dmcglone
I didn't know we could paste code, so I'll paste mine here.
the object is to get an md5 and a crypted line for any word entered into the form. the crypt line seems to work correctly and changes every time there's a new word entered into the form. But the md5 password doesn't change anytime after you submit the form for the first time unless the code is changed.

<!--password_creator.php-->
<html>
<head>
<title>Password Creator</title>
</head>
<body>
<form action="generate_passwords.php" method="POST">
<h3>Enter a password to create MD5 and Crypt based passwords.</h3>
Password: <input type="text" name="password">
<input type="submit" name="create" value="Create Passwords!">
</form>
<br><br>
</body>
</html>

<!--generate_passwords.php-->
<?PHP
echo $_POST['password'];
echo "<br /><br />";
echo md5($password);
echo "<br /><br />";
echo crypt('password');
?>

Posted: Wed Oct 08, 2003 5:39 am
by twigletmac
You need to modify your code a bit, there's a few typo's and code errors. Instead of:

Code: Select all

<?PHP
echo $_POST['password'];
echo "<br /><br />";
echo md5($password);
echo "<br /><br />";
echo crypt('password');
?>
try:

Code: Select all

if (!empty($_POST['password'])) {
    $password = $_POST['password'];
    echo 'password = '.$password;
    echo '<br />';
    echo 'md5(password) = '.md5($password);
    echo '<br />';
    echo 'crypt(password) = '.crypt($password);
} else {
    echo 'No password entered.';
}
Mac

Posted: Wed Oct 08, 2003 7:00 am
by evilMind
md5 generates a unique hash for each item that you pass to it; when the contents change so does the hash. So you should always get the same md5 for 'foo' no matter how many times you use md5 on it;

example:

Code: Select all

<?php
for ( $i = 0; $i < 1000; $i++) {
   echo md5( 'foo' ) . "<br />\n";
}
?>
will always be the same.

nigma, if you're not sure what you are going to be using ( eg, post or get ) you can always use $_REQUEST instead.

Posted: Wed Oct 08, 2003 7:34 am
by dmcglone
that worked. Im starting to wonder if I'll ever get the hang of coding with PHP.

Every tutorial I try never works, and I just bought 2 PHP books and 1 PHP 4 XML and NONE of these books even make use of code when register_globals are off.

It seems the coding standard for PHP changes so quick, that writing a book to teach PHP seems sensless anymore, because by the time the book is published, the standard has changed.

Posted: Wed Oct 08, 2003 7:35 am
by Paddy
Using $_REQUEST is as risky as having global variables turned on isn't it?

Posted: Wed Oct 08, 2003 8:30 am
by twigletmac
Paddy wrote:Using $_REQUEST is as risky as having global variables turned on isn't it?
<OT>IMHO, yes as you are still not testing to ensure that data comes from the expected place - cookie, URL querystring, posted form. I prefer to use $_GET or $_POST etc. as I haven't got any forms which could be posted using either POST or GET. I find it also makes my code easier for other developers to follow.</OT>
dmcglone wrote:Every tutorial I try never works, and I just bought 2 PHP books and 1 PHP 4 XML and NONE of these books even make use of code when register_globals are off.

It seems the coding standard for PHP changes so quick, that writing a book to teach PHP seems sensless anymore, because by the time the book is published, the standard has changed.
The change to register_globals off was made about a year and a half ago and TBH books written before then should generally be avoided as should tutorials. However, once you understand register_globals and when, where and how to use $_GET, $_POST, $_COOKIE, $_SESSION, $_SERVER etc, you should find it possible to adapt the tutorial code so that the other concepts that it is trying to teach work.

Books written with code that is compatible with version 4.2 of PHP should still be useful for some time. Although version 5 is in development it will be a while before that is the standard.
dmcglone wrote:Im starting to wonder if I'll ever get the hang of coding with PHP.
Everybody has to start somewhere, stick with it and you should soon find it starts making more sense.

Mac

Posted: Wed Oct 08, 2003 9:04 am
by dmcglone
nigma wrote:Yea, I am don't really understand what you mean. But if what you want to do is store a users password's md5 hash and then when a user attempts to login you check the stored password and compare it to the entered password then all you need to do is the following:

Example (Assumes you will be using the method POST in the login form):

Code: Select all

<?php
$enteredPass = $_POST['password'];
// Check to see if input was entered in the password field here
$correctPass = md5('CORRECTPASSHERE');
if (md5($enteredPass) == $correctPass)
{
  echo 'Authenticated.';
}
else
{
  echo 'Not Authenticated.';
}
?>
This works, but I have to type the password in plain text instead of the md5 encrypted password.

my goal here is to store the password in encrypted code such as $correctPass = md5('a029d0df84eb5549c641e04a9ef389e5
'); which is the md5 encrypted word "mypass", but when doing it this way, and typing "mypass" in the form box, It does not authenticate.

is this possible?

Posted: Wed Oct 08, 2003 9:36 am
by Nay
Are you typing it as:

Code: Select all

md5("mypass");
or something? :lol:. That's how I understood what you said. You'll have to use something like:

Code: Select all

md5($_POST['mypass'])
-Nay

Posted: Wed Oct 08, 2003 9:48 am
by dmcglone
what im trying to say is, everything works fine if and only if I use the password in plain text. For instance

$correctPass = md5('mypass');

this authenticates, because my password is set to "mypass"

Now here is the same thing, except "mypass" is encrypted using md5:

$correctPass = md5('89326269cd0c04ca98e4c3630c541931
');

This does not authenticate when the correct password is used (mypass).

see what im saying?

Posted: Wed Oct 08, 2003 9:54 am
by Nay
You mean when you match it with the password that was already encrypted, you don't get a match and it doesn't authenticate?

-Nay

Posted: Wed Oct 08, 2003 10:02 am
by twigletmac
If you md5 the md5'd value then the two won't match, for example, instead of:

Code: Select all

if (md5('mypass') == md5('89326269cd0c04ca98e4c3630c541931')) {
    echo 'match';
} else {
    echo 'no match';
}
you should have

Code: Select all

if (md5('mypass') == '89326269cd0c04ca98e4c3630c541931') {
    echo 'match';
} else {
    echo 'no match';
}
Mac

Posted: Wed Oct 08, 2003 10:22 am
by evilMind
umm... I try to stay away from it also; $_REQUEST was just for example ;)