md5 and authentication dialog box

Anon

A couple weeks ago I tried to improve a user authentication set up, I was storing passwords (un-encrypted) in a column of a MySQL table. I decided to go with md5 and was able to get the password in, from a html form, but could not figure how to use md5 with the authentication dialog box to match the database value.
Any help appreciated.
Jim

aeckhoff

you know the password and you know that it is md5 encrypted in the database and you know that the same word will always give the same md5 encrypted set of data. So you ask the user via password input tag, what's his password, then you encrypt it with md5 and finally you compare it with the md5 encrypted data in the database. if it is the same password, then it fits, if not,...

Anon

simple.
get the username/pass (plaintext) from the login form.

apply the same encryption scheme you use when you first insert the password to the unencrypted password that the user supplies:
e.g $strEncryptedPass = md5($strUserPass)

then add that to your query:
select <fields>
from <table>
where username = '$strUserName'
and password = '$strEncryptedPass'

if you get back a record, login works, otherwise, it failed (wrong user/passwd combo)

hth.
p.

Anon

Cant you just user a MYSQL password(\'$argument\') when you insert the data into the database?

Anon

allren wrote:

Cant you just user a MYSQL password(\'$argument\') when you insert the data into the database?

That's another option, but the original poster used md5 to encrypt the password. so rather than use PASSWORD() on insert, he used MD5() or just did it in php. Bottom line is that the comparision needs to be consistent. if you password() on insert, you need to password() on compare, same w/ md5() or even encrypt().

As an aside, he could even do this (a correction to my last posting)

select <fields>
from <table>
where username = '$strUserName'
and password = md5('$strOrigPass')

instead of doing the md5() in php code..

Anon

What the goal is here is to use the browser supplied authentication dialog box to handle the user name and password on all future visits.
So how do I take the user supplied $PHP_AUTH_PW and convert it to whatever encryption I used in the database?
Your corrected code p_reagan looks about like my last attempt, altho I think I went md5('$PHP_AUTH_PW');
I tried several approaches and none seemed to work.
I can see how to do it with an html form, a logon box, but was thinking this other was more secure.... am I right?

Anon

I dont understand why this does not work, I can input the password in md5() to MySQL and I can authenticate a user with my code as long as there is no md5(), (so I am connecting and everything) I do not seem to be able to take the variable $PHP_AUTH_PW and apply the md5. This is one of the ways I have tried this:
$pass = md5($PHP_AUTH_PW); then of course include the $pass variable in my SQL.
I have tried single quotes... tried it in my SQL...
What am I missing?
Thanks,
Jim

verabug

I'm having the same problem right now. I did a test and it turns out that the original md5'd password is different from the md5'd string I test against when authorizing a user. I did a query to get a certain user information. I echoed the password on file in the database. Say it was something like this:
6b6207cd73e76cc69fb824a22

I know what the original password is, so I encrypted it with md5 and then echoed that.

This would be the result:
6b6207cd73e76cc69fb824a22ded1b4c

It's the original string but with something else appended to it! I don't know why it's doing that; the result should be the exact same string, right?

Anyway, did you ever figure out a way to fix this?

Anon

This topic is dirt old, but I found it...I had the same problem and my problem was the size of the password field. I had it as 12 or something so the max pass could be that, but when you do the md5 encrpytion, it makes it MUCH larger. Make it like 50 or something. That will probably fix your problem.

verabug

Hey,
I know the post was old but I thought I'd give it a try... Too bad this board doesn't have an email notification option.
Anyway, thanks for the tip. That sounds like it might be my problem. I'm going to try it out. Thanks.