MD5 Password Encryption ..

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

MD5 Password Encryption ..

Post by pavanpuligandla »

Hii...
i've encrypted my password and inserted it into the database table, but when i tries to retrieve it i'm getting login failure..i'm herewith posting my source code..kindly go thru this and do the needful..
the passwords inserted are being successfull md5 encrypted but when i'm matching the entered password in the form with the original md5 password in database,i'm unable to login..

Code: Select all

 
<?php
 
 //Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("trrcollege");
    if(!$db) {
        die("Unable to select database");
    }
 
//Sanitize the value received from login field
    //to prevent SQL Injection
    if(!get_magic_quotes_gpc()) {
        $username=mysql_real_escape_string($_POST['username']);
    }else {
        $username=$_POST['username'];
    }
 
 
$username = $_POST["username"];
$password = md5($_POST["password"]);
 
//Create query
    $query="SELECT * FROM login WHERE username='" . mysql_real_escape_string($username) . "' AND password='".md5($_POST['password'])."'";
    
    //require_once('attempt.log.class.php'); 
    $result=mysql_query($query);
    $rows2=mysql_fetch_array($result);
    if($rows2["password"] == $password && $rows2["username"] == $username )
        {
        if(mysql_num_rows($result)>0) 
            {
            //Login Successful
            session_start();
                $start=time();
                        $_SESSION['time_start']=$start; 
            $_SESSION['username']=$username;
            $_SESSION['password']=$password;
            $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
            session_register('username');
            session_register('password');
            session_register('time_start');
            session_regenerate_id();
            session_write_close();
            include "session.php";
            include "scsession.php";
            include("class_session.inc.php");
                header("Location: redirect.php");
            exit();
            }
    
        else {
            //Login failed
            require_once('attempt.log.class.php');
                        session_unset();
            session_destroy();
                header("location: loginfail.htm");
            exit();
             }
        }
else{
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
    }
 
?>
kindly do the needful..awaiting for ur reply guys..
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: MD5 Password Encryption ..

Post by jaoudestudios »

MD5 is not a secure encryption method!!! It might have been 15 years ago.

Dont know why you have this ...

Code: Select all

if($rows2["password"] == $password && $rows2["username"] == $username )
As no results will return if the above condition is not satisfied as you have it in your SQL query.

Why do you do mysql_real_escape_string on the $username twice? There is no need, the second time you have used it in the mysql query is sufficient.

Try using trim on $username & $password and when you register too. As your data in your database might have spaces at the beginning or end and this could cause a problem.
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: MD5 Password Encryption ..

Post by pavanpuligandla »

Hiii..
That line is to match the entered password with that of password field of table..(if i omit tht condition then i'm getting error i mean the second else is getting executed even though i enter rite credentials.)
and no there are no spaces i'm sure..
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: MD5 Password Encryption ..

Post by pavanpuligandla »

hii..
can anyone suggest me the new way of protecting my passwords..
i'll be thankful if any one can provide me any working script for those methods ..
Many Thanks,
Pavan.P
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: MD5 Password Encryption ..

Post by jaoudestudios »

Take a look at this for encryption, it is suitable for passwords but not for credit cards.
http://www.forum.jaoudestudios.com/view ... ?f=13&t=14
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: MD5 Password Encryption ..

Post by arjan.top »

@pavanpuligandla:
look at this: viewtopic.php?f=34&t=62782&start=0
jaoudestudios wrote:Take a look at this for encryption, it is suitable for passwords but not for credit cards.
http://www.forum.jaoudestudios.com/view ... ?f=13&t=14
that's totally wrong
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: MD5 Password Encryption ..

Post by jaoudestudios »

It is an old method and using ECB, but simple for beginners.

I will read the link you have provided.
Thanks
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: MD5 Password Encryption ..

Post by jaoudestudios »

Great article!

Goes into a lot of detail on encryption.

Thanks :)
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: MD5 Password Encryption ..

Post by pavanpuligandla »

thnx for ur reply boss..
can you provide me any working code for that..i'm trying of my own using hash functions..
many thnx,
pavan.p
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Re: MD5 Password Encryption ..

Post by arjan.top »

jaoudestudios wrote:It is an old method and using ECB, but simple for beginners.

I will read the link you have provided.
Thanks
two-way encryption for passwords is wrong
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: MD5 Password Encryption ..

Post by jaoudestudios »

Yes good point!
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: MD5 Password Encryption ..

Post by pavanpuligandla »

@ arjan.top,
can u post the source for encrypting passwords..
many thnx,
pavan.p
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: MD5 Password Encryption ..

Post by Mordred »

1. Post the registration code, maybe you're not MD5-ing it the same way? Read the article already linked for details on hashing and salting. Print the values from the database and the ones coming from the form, so you can compare them "visually"

2. SQL injection on $_POST['password']
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: MD5 Password Encryption ..

Post by pavanpuligandla »

@ mordred.

Username Password Insertion to the table:

Code: Select all

<?PHP
  
//Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("tge");
    if(!$db) {
        die("Unable to select database");
    }
    
    $username = $_POST["username"];
    $password = $_POST['password'];
     $encrypt = sha1($password);
  
    
    
    $sql = "INSERT INTO login (username, password) VALUES ('".$username."', '".$encrypt."')";
    mysql_query($sql)or die(mysql_error());
    echo $sql;
    ?>
     
here i'm using sha1,, and while i try to retrieve it during login,, i'm getting error.. below is my logincheck.php code..

Code: Select all

<?php
 
 //Connect to mysql server
    $link=mysql_connect("localhost","root","");
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    //Select database
    $db=mysql_select_db("tge");
    if(!$db) {
        die("Unable to select database");
    }
 
 
$username = $_POST["username"];
$password = $_POST['password'];
$encrypt = sha1($password);
 
$query="SELECT * FROM login WHERE username='" . mysql_real_escape_string($username) . "' AND password='".   mysql_real_escape_string ($encrypt). "'";
    
    //require_once('attempt.log.class.php'); 
    $result=mysql_query($query);
    $rows2=mysql_fetch_array($result);
    if($rows2["password"] == $encrypt && $rows2["username"] == $username )
        {
        if(mysql_num_rows($result)>0) 
            {
            //Login Successful
            session_start();
                $start=time();
                       $_SESSION['time_start']=$start; 
            $_SESSION['username']=$username;
            $_SESSION['password']=$encrypt;
            $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
            session_register('username');
            session_register('password');
            session_register('time_start');
            session_regenerate_id();
            session_write_close();
            include "session.php";
            include "scsession.php";
            include("class_session.inc.php");
                header("Location: redirect.php");
            exit();
            }
    
        else {
            //Login failed
            require_once('attempt.log.class.php');
                        session_unset();
            session_destroy();
                header("location: loginfail.htm");
            exit();
             }
        }
else{
require_once('attempt.log.class.php');
session_unset();
session_destroy();
header("location: loginfail.htm");
    }
 
?>
please help me out boss..
many thnx,
pavan.p
User avatar
pavanpuligandla
Forum Contributor
Posts: 130
Joined: Thu Feb 07, 2008 8:25 am
Location: Hyderabad, India

Re: MD5 Password Encryption ..

Post by pavanpuligandla »

hii mordred,
i've printed the password...actually in my database i set password field's size 15, but after sha1 'ing the password, my table is storing only 15 characters out of 40..so i'm getting mismatch of passwords and now i changed my password field to 40 i'm not getting any errors..
but why is it creating 40 char length string only??
any how thnx mordred for ur valuable suggestions..awaiting for ur reply of my query.

string stored in table : 8f283033e9f9f92 (15)
string printed : 8f283033e9f9f92e5d84f48263e1d344fdd4339e (40)
Post Reply