Security for MD5() ?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
uyandim
Forum Newbie
Posts: 2
Joined: Mon Oct 13, 2008 4:29 am

Security for MD5() ?

Post by uyandim »

Hi,

I use this code on my web site ;
$pass="mypass";
$encription=md5($pass);

if ( $encription== md5($_POST['pass']) ) {
bla.. bla..
}

of course i use always db for password but this web site small and there isn't any database progress, so ı use like this login check.

But i think now, may someone can be enter string to form and jump md5 ? Example ;

I enter password field on form: "$pass" like this code. So i think my code will be like this :
if ( $encription== md5($pass) )

it will be true and it will go or is it can go ?

I know i can check _POST value or use htmlentities. But ı used this "if ( $encription== md5($pass) )" code every project so i am worry now. I will check all post values for danger chars. ok but i want to know only this if i not clear post values,is someone jump from this if rule ?

Thank you
User avatar
omika
Forum Newbie
Posts: 19
Joined: Sun Oct 12, 2008 2:00 pm
Location: New Zealand

Re: Security for MD5() ?

Post by omika »

No it doesn't "Jump" it. Did you test it out or just post here before doing anything....
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: Security for MD5() ?

Post by onion2k »

In that context MD5 is a waste of time. You might as well just do..

Code: Select all

if ("mypass"==$_POST['pass']) {
  //Stuff
}
It'll achieve the same thing just as securely*.


* In fact, more securely, because there's always a remote possibility of an MD5 hash clashing. The difference isn't worth worrying about but if I don't say it here someone is bound to point it out.
uyandim
Forum Newbie
Posts: 2
Joined: Mon Oct 13, 2008 4:29 am

Re: Security for MD5() ?

Post by uyandim »

I already try some string attack ofcourse. But my questions is md5() function need to be string and i think somebody can try to enter some string to field so change my code and it is jump from if rule, like sql injection.

but i understand this is impossible because md5 function only accep string function.

thanks for your answers..
Post Reply