Page 1 of 1

Security for MD5() ?

Posted: Mon Oct 13, 2008 4:41 am
by uyandim
Hi,

I use this code on my web site ;
$pass="mypass";
$encription=md5($pass);

if ( $encription== md5($_POST['pass']) ) {
bla.. bla..
}

of course i use always db for password but this web site small and there isn't any database progress, so ı use like this login check.

But i think now, may someone can be enter string to form and jump md5 ? Example ;

I enter password field on form: "$pass" like this code. So i think my code will be like this :
if ( $encription== md5($pass) )

it will be true and it will go or is it can go ?

I know i can check _POST value or use htmlentities. But ı used this "if ( $encription== md5($pass) )" code every project so i am worry now. I will check all post values for danger chars. ok but i want to know only this if i not clear post values,is someone jump from this if rule ?

Thank you

Re: Security for MD5() ?

Posted: Mon Oct 13, 2008 5:11 am
by omika
No it doesn't "Jump" it. Did you test it out or just post here before doing anything....

Re: Security for MD5() ?

Posted: Mon Oct 13, 2008 5:43 am
by onion2k
In that context MD5 is a waste of time. You might as well just do..

Code: Select all

if ("mypass"==$_POST['pass']) {
  //Stuff
}
It'll achieve the same thing just as securely*.


* In fact, more securely, because there's always a remote possibility of an MD5 hash clashing. The difference isn't worth worrying about but if I don't say it here someone is bound to point it out.

Re: Security for MD5() ?

Posted: Mon Oct 13, 2008 5:57 am
by uyandim
I already try some string attack ofcourse. But my questions is md5() function need to be string and i think somebody can try to enter some string to field so change my code and it is jump from if rule, like sql injection.

but i understand this is impossible because md5 function only accep string function.

thanks for your answers..