Page 1 of 1

md5(md5($pass)) not working 8O

Posted: Fri Jan 27, 2006 3:46 pm
by LiveFree
Okay,

For a login form I've made I have double encrypted the pass with md5, but it doesnt work when I login

This is the registartion script when the pass is inserted:

Code: Select all

<?php
session_start();
session_regenerate_id();
include('db.php');

if (isset($_POST['submit'])){

if (isset($_POST['email'])){
  $email=trim($_POST['email']);
}else{
  echo "-Please enter in your email!<br>";
}

if (isset($_POST['pass1'])){
  $pass1=trim($_POST['pass1']);
  $pass1=md5(md5($pass1));
}else{
  echo "-Please enter in your desired password!<br>";
}  

if (isset($_POST['pass2'])){
  $pass2=trim($_POST['pass2']);
}else{
  echo "-You must confirm your password above!<br>";
}

if ($pass1 !== $pass2){
  
  echo "-Your Two Passwords do not match!<br>";
}

if (isset($_POST['real'])){
  $real=trim($_POST['real']);
}else{
  echo "-Please enter in your Real Name!<br>";
}

if (isset($_POST['addr'])){
  $addr=trim($_POST['addr']);
}else{
  echo "-Please enter in your address!<br>";
}

if (isset($_POST['country'])){
  $country=trim($_POST['country']);
}else{
  echo "-Please enter in your country of residence!<br>";
}

if (!isset($_POST['TOSY'])){
  echo "-You did not agree to the Terms of Service!";
  die();
}

if (isset($_POST['phone'])){
  $phone=trim($_POST['phone']);
}else{
  $phone="";
}

if (isset($_POST['state'])){
  $state=trim($_POST['state']);
}else{
  $state="";
}
 
if (isset($_POST['zip'])){
  $zip=trim($_POST['zip']);
}else{
  $zip="";
} 
  
  if ($email && $pass1 && $real && $addr && $country){
    
    $sql="INSERT INTO users (id, email, password, datereg, phone, address, state, country, zip, userlvl, realname) VALUES ('','$email','$pass1',now(),'$phone','$addr','$state','$country','$zip','0','$real')";
    $result=mysql_query($sql);
    
    echo "<b>Thank You For Registering, you may now <a href='login.php'>login</a>";
}
  
}else{
echo "<form method='POST' action='$PHP_SELF'>
<i>* = Required Field,

If you win and the info below is inaccurate, you will not be awarded the money.</i><br>
<br>
<b>Email*:</b><input type='text' name='email'><br>
<b>Password*:</b><input type='text' name='pass1'><br>
<i>Confirm*:</i><input type='text' name='pass2'><br>
<br><b>Contact Info</b><br><br>
<b>Real Name:* (Last, First)</b><input type='text' name='real'><br>
<b>Phone:</b><input type='text' name='phone'><br>
<b>Address:*</b><input type='text' name='addr'><br>
<b>State:</b><input type='text' name='state'><br>
<b>ZIP Code:</b><input type='text' name='zip'><br>
<b>Country:*</b><input type='text' name='country'><br>
<br>
<textarea readonly>
1. The first person who guesses the number correct will win
2. I have the right to suspend accounts under suspicion of hacking / duplicate accounts.
3. You may NOT create more then one account for your self
4. If any details match another account holder, i will be informed and have the right to suspend accounts.
5. you must not try in anyway to beat the system to gain an unfair advantage of the other users.
</textarea><br>
<b>Do you Agree with the Terms of Service?*</b><br>
<i>Yes:</i><input type='radio' name='TOSY'><br>
<i>No:</i><input type='radio' name='TOSN'><br>
<input type='submit' name='submit' value='Submit'>
</form>";
}
?>
And this is the login page

Code: Select all

<?php
session_start();
session_regenerate_id();
require('db.php');

if (isset($_POST['login_submit'])){
  
  if (!empty($_POST['email'])){
    
    $email=trim($_POST['email']);
}else{
  echo "-Please enter in your Email!<br><br>";
  make_login();
}

if (isset($_POST['pass'])){
  $pass=$_POST['pass'];
  $pass=md5(md5($pass));
}else{
  echo "-Please enter in your pass!<br><br>";
    make_login();
}

if ($email && $pass){
  $sql="SELECT * FROM users WHERE password=SHA('$pass') AND email='$email' LIMIT 1";
  $result=mysql_query($sql);
  if (mysql_num_rows($result) == '1'){
$row=mysql_fetch_array($result);
$_SESSION['id']=$row['id'];
$_SESSION['loggedin']="TRUE";
    header("Location: game.php");
}else{
  echo "-The email and password pair you provided are incorrect!<br><br>";
    make_login();
}
}
}else{
  
 make_login();
}

function make_login() {
   echo "<form method='POST' action='$PHP_SELF'>
<b>Email:</b><input type='text' name='email'><br>
<b>Password:</b><input type='password' name='pass'><br>
<input type='submit' name='login_submit' value='Login'></form>";															  
echo "<br><br><a href='registar.php'>Register with Us!</a>";
}
?>
It works fine if I dont encrypt the pass

Thanks, Tucker

Posted: Fri Jan 27, 2006 3:51 pm
by feyd
you're selecting from the database for an SHA hash.

FYI, double md5() reduces your security. A single md5() is perfectly fine.

Posted: Fri Jan 27, 2006 3:59 pm
by raghavan20
during registration, you are doing md5(md5($pass1)) but during login you are only doing sha(md5(md5($pass)))

Posted: Fri Jan 27, 2006 4:30 pm
by LiveFree
Updated Code:

Code: Select all

<?php
session_start();
session_regenerate_id();
include('db.php');

if (isset($_POST['submit'])){

if (isset($_POST['email'])){
  $email=trim($_POST['email']);
}else{
  echo "-Please enter in your email!<br>";
}

if (isset($_POST['pass1'])){
  $pass1=trim($_POST['pass1']);
  $pass1=md5($pass1);
}else{
  echo "-Please enter in your desired password!<br>";
}  

if (isset($_POST['pass2'])){
  $pass2=trim($_POST['pass2']);
}else{
  echo "-You must confirm your password above!<br>";
}

if ($pass1 != $pass2){
  
  echo "-Your Two Passwords do not match!<br>";
}

if (isset($_POST['real'])){
  $real=trim($_POST['real']);
}else{
  echo "-Please enter in your Real Name!<br>";
}

if (isset($_POST['addr'])){
  $addr=trim($_POST['addr']);
}else{
  echo "-Please enter in your address!<br>";
}

if (isset($_POST['country'])){
  $country=trim($_POST['country']);
}else{
  echo "-Please enter in your country of residence!<br>";
}

if (!isset($_POST['TOSY'])){
  echo "-You did not agree to the Terms of Service!";
  die();
}

if (isset($_POST['phone'])){
  $phone=trim($_POST['phone']);
}else{
  $phone="";
}

if (isset($_POST['state'])){
  $state=trim($_POST['state']);
}else{
  $state="";
}
 
if (isset($_POST['zip'])){
  $zip=trim($_POST['zip']);
}else{
  $zip="";
} 
  
  if ($email && $pass1 && $real && $addr && $country){
    
    $sql="INSERT INTO users (id, email, password, datereg, phone, address, state, country, zip, userlvl, realname) VALUES ('','$email','$pass1',now(),'$phone','$addr','$state','$country','$zip','0','$real')";
    $result=mysql_query($sql);
    
    echo "<b>Thank You For Registering, you may now <a href='login.php'>login</a>";
}
  
}else{
echo "<form method='POST' action='$PHP_SELF'>
<i>* = Required Field,

If you win and the info below is inaccurate, you will not be awarded the money.</i><br>
<br>
<b>Email*:</b><input type='text' name='email'><br>
<b>Password*:</b><input type='text' name='pass1'><br>
<i>Confirm*:</i><input type='text' name='pass2'><br>
<br><b>Contact Info</b><br><br>
<b>Real Name:* (Last, First)</b><input type='text' name='real'><br>
<b>Phone:</b><input type='text' name='phone'><br>
<b>Address:*</b><input type='text' name='addr'><br>
<b>State:</b><input type='text' name='state'><br>
<b>ZIP Code:</b><input type='text' name='zip'><br>
<b>Country:*</b><input type='text' name='country'><br>
<br>
<textarea readonly>
1. The first person who guesses the number correct will win
2. I have the right to suspend accounts under suspicion of hacking / duplicate accounts.
3. You may NOT create more then one account for your self
4. If any details match another account holder, i will be informed and have the right to suspend accounts.
5. you must not try in anyway to beat the system to gain an unfair advantage of the other users.
</textarea><br>
<b>Do you Agree with the Terms of Service?*</b><br>
<i>Yes:</i><input type='radio' name='TOSY'><br>
<i>No:</i><input type='radio' name='TOSN'><br>
<input type='submit' name='submit' value='Submit'>
</form>";
}
?>

Code: Select all

<?php
session_start();
session_regenerate_id();
require('db.php');

if (isset($_POST['login_submit'])){
  
  if (!empty($_POST['email'])){
    
    $email=trim($_POST['email']);
}else{
  echo "-Please enter in your Email!<br><br>";
  make_login();
}

if (isset($_POST['pass'])){
  $pass=$_POST['pass'];
  $pass=md5($pass);
}else{
  echo "-Please enter in your pass!<br><br>";
    make_login();
}

if ($email && $pass){
  $sql="SELECT * FROM users WHERE password='$pass' AND email='$email' LIMIT 1";
  $result=mysql_query($sql);
  if (mysql_num_rows($result) == '1'){
$row=mysql_fetch_array($result);
$_SESSION['id']=$row['id'];
$_SESSION['loggedin']="TRUE";
    header("Location: game.php");
}else{
  echo "-The email and password pair you provided are incorrect!<br><br>";
    make_login();
}
}
}else{
  
 make_login();
}

function make_login() {
   echo "<form method='POST' action='$PHP_SELF'>
<b>Email:</b><input type='text' name='email'><br>
<b>Password:</b><input type='password' name='pass'><br>
<input type='submit' name='login_submit' value='Login'></form>";															  
echo "<br><br><a href='registar.php'>Register with Us!</a>";
}
?>
Still no worky...

http://www.aa-25thID.com/secure/

Reg and Try it out

Posted: Fri Jan 27, 2006 6:05 pm
by raghavan20

Code: Select all

$sql="SELECT * FROM users WHERE password='$pass' AND email='$email' LIMIT 1"; 
  $result=mysql_query($sql); 
  if (mysql_num_rows($result) == '1'){
everything seems to be alright...just a few suggestions...
use select unique_user_id from users where password = '$pass' and email = '$mail'

do not check for mysql_num_rows($result) == '1', you are checking for string value instead compare with integer valule one, mysql_num_rows($result) == 1

Posted: Fri Jan 27, 2006 6:26 pm
by LiveFree
Nope :(

Didnt work ...

I just changed this bit..

Code: Select all

$sql="SELECT id FROM users WHERE password='$pass' AND email='$email'";
  $result=mysql_query($sql);
$row=mysql_fetch_array($result);
  if ($email == $row['email'] && $pass == $row['password']){
Hmmm

Posted: Fri Jan 27, 2006 6:39 pm
by raghavan20

Code: Select all

$query = select id, password from users where email = '$email';
if ($result = mysql_query($query)){
	if (mysql_num_rows($result) > 0){
		if ($pass == mysql_result($result, 0, "password")){
			echo "login valid";
		}
	}
}

Posted: Fri Jan 27, 2006 6:57 pm
by LiveFree

Code: Select all

Parse error: syntax error, unexpected $end in /home/recon/public_html/secure/login.php on line 44

Code: Select all

<?php
session_start();
session_regenerate_id();
require('db.php');

if (isset($_POST['login_submit'])){
  
  if (!empty($_POST['email'])){
    
    $email=trim($_POST['email']);
}else{
  echo "-Please enter in your Email!<br><br>";
    make_login();			  
}

if (isset($_POST['pass'])){
  $pass=$_POST['pass'];
  $pass=md5($pass);
}else{
  echo "-Please enter in your pass!<br><br>";
      make_login();
	  }

if ($email && $pass){
$query = "select id, password from users where email = '$email'";
if ($result = mysql_query($query)){
    if (mysql_num_rows($result) > 0){
        if ($pass == mysql_result($result, 0, "password")){
            echo "login valid";
        }
    }
} 
}else{
  make_login();			  
}

function make_login() {
    echo "<form method='POST' action='$PHP_SELF'>
<b>Email:</b><input type='text' name='email'><br>
<b>Password:</b><input type='password' name='pass'><br>
<input type='submit' name='login_submit' value='Login'></form>";															  
echo "<br><br><a href='registar.php'>Register with Us!</a>";
}			  
?>
Thanks for your help BTW!

Posted: Fri Jan 27, 2006 7:39 pm
by hawleyjr
I didn't find your error, however, you really need to validate that email address before you search on it :roll:

Posted: Sat Jan 28, 2006 6:33 pm
by duk

Code: Select all

<?php
session_start();
session_regenerate_id();
require('db.php');

if (isset($_POST['login_submit'])){
  
  if (!empty($_POST['email'])){
    
    $email=trim($_POST['email']);
}else{
  echo "-Please enter in your Email!<br><br>";
    make_login();			  
}

if (isset($_POST['pass'])){
  $pass=$_POST['pass'];
  $pass=md5($pass);
}else{
  echo "-Please enter in your pass!<br><br>";
      make_login();
	  }

if ($email && $pass){
$query = "select id, password from users where email = '$email'";
if ($result = mysql_query($query)){
    if (mysql_num_rows($result) > 0){
        if ($pass == mysql_result($result, 0, "password")){
            echo "login valid";
        }
    }
} 
}else{
  make_login();			  
}

function make_login() {
    echo "<form method='POST' action='$PHP_SELF'>
<b>Email:</b><input type='text' name='email'><br>
<b>Password:</b><input type='password' name='pass'><br>
<input type='submit' name='login_submit' value='Login'></form>";															  
echo "<br><br><a href='registar.php'>Register with Us!</a>";
}			  


} // the first if dont have a end$ 

?>
[/quote]

i just dont understand why double encript ??? when the encriptaion is the same...is the same as = 3*3 = 9; and lets double encript 3 * 9 = 27; lets imagine you have encript 3 and then you have encript 9... is just a example anyway for me there is no sense, but maybe is a good point of discussion here...

Posted: Sat Jan 28, 2006 7:22 pm
by josh
I answered this on another forum, here is my explanation.. just to put this into context the thread I posted this into was regarding the security of md5 and one of the posters was arguing it didn't matter if he md5(sha1())'d something..
Hashs / checksums cannot be cracked

let's assume some black hat hacker grabs the md5 of your password, he has to try every string possible and verify the md5 of each string against the md5 of your password, since md5 is fixed size there are theoretically and even proven collisions where two completely separate strings yield the same md5, now we look at sha1... a larger hash so it has less collisions, that is there are less strings that can produce the same sha1 hash. Same with sha256, even harder to find collisions, if even possible as of today. Now let's say I have the md5 of the sha1 of your password, you have taken the odds of finding a collision with sha1, let's say 1 in X, then you md5'd it, let's say the odds of two strings having the same md5 hash is 1 in Y. Since you hashed the hash the odds of a collision are now 1 in (X/Y). Assumptions of unlikeliness of an attack are made in the same mindset of "I don't drive much so I am less likely to get into a car crash so I don't have to wear my seatbelt". This is not the frame of mind one should take when developing secure applications. You have basically taken an extra step to making the brute-forcer's job easier. The thread is talking about the security of md5 in itself, and your function is less secure then just md5'ing the string and leaving it at that.

Posted: Sat Jan 28, 2006 8:51 pm
by LiveFree
I fixed it guys .... it turns out my password DB field was at VARCHAR(24) :D

Thanks for all the help!