PHP + md5 + passwords

Anon

Hi, I've finally managed to convert my mail server over to using a mysql backend, I am trying (using php) to create the frontend to it.. One of my tasks is setting up popboxes. I can create the box, and all that, I just fall over with the passwords.

I have a perl script that works, but I don't want to use perl, in this script it uses:

$pp = $dbh->quote(MD5->hexhash($passwd));

to encrypt the password, I have tried this using the md5 php function, but it always rejects the password.. Can anyone offer me any advice here?

TIA.

Phil

Anon

I've used the following to generate a password:

   $pwd_text = strtolower(trim( $pwd_text ));
   $salt = sprintf( "%04x", time() & 0xffff);
   $pwd_hash = $salt . md5( $pwd_text . $salt );

I lowercase the raw password as entered by the user, feeling that the increased ease of use outweighs the reduction in key space.

What's "salt" you ask? There's a security problem in storing hashed passwords if you just naively store the hash value: if any gains access to the file, they can mount a password attack just by changing their own password and observing its value. If it matches the target's hashed password, they now know what the target's password is, without having to any hard cryptography and without having to even once try logging in as the target. By adding a system-supplied unpredictable value, you make this attack much less likely to succeed.

Then, to test the password, having previously retrieved the user's password
hash into $stored_pwd_hash:

   $salt = substr($stored_pwd_hash,0,4);
   $pwd_hash = $salt . md5( strtolower($user_pwd) . $salt );

   if ( $pwd_hash != $stored_pwd_hash )
      {
      // password not valid

Anon

How do store a hashed password using a query statement?

This doesn't work:
$query="INSERT INTO user (loginid, password) VALUES('$loginid', '%s')", addslashes(md5($pwd));

$result = mysql_query($query);

What's wrong???