MD5 question...

Mr_Mako

Hi...

I've got a real quick question about md5.

I'm working with a database site with user login, and would like to md5 the user's passwords for security.

However, I've run into a strange problem... and it's probably my own ignorance of precisely how the md5 hashes the password.

I wrote a little script (for testing purposes) where I enter a password and submit it to a second page which then displays the hashed password. I was using this so I could put a generic password in it (like "1234" for example) and then copy and paste that into the database for testing against the login.

Well... when I used the script, I get one result. When I tried to login... I'd get denied. I finaly put a line of code into the login script to display the hashed password... and the hash is completely different than the one in the database that I cut and pasted from my test script.

The interesting thing is that in both cases I was using "1234"... but the test script would display one result, while the login script would display a completely different result.

So... I'm confused. Does md5 hash a password completely different every time? I don't see how that would be possible and return password success from databases. And, if it does NOT, why would I be getting to completely different results while using the same password?

weekender

no, md5 will always return the same hash for a given string - although i have heard of versions of mysql with a slightly buggy md5 function that may not be as expected - although you say you copied and pasted.

i trust you are just using the

md5()

function? is your db field a 32 character varchar?

Mr_Mako

Yes, I'm using a 32 character VARCHAR in the database to hold the hash, and my code is like this:

$password = $_POST['password'];

$pass = md5($password);

// Connect to Database //
$connect = @mysql_connect("localhost", "username", "password") or die(mysql_error());
$db = @mysql_select_db($db_name, $connect) or die(mysql_error());

// Create Query //
$sql = "SELECT * FROM $table_name WHERE name = '$user' AND password = '$pass'";
$result = @mysql_query($sql, $connect) or die(mysql_error());

I just tried it again, and the same thing happened.

scoppc

MD5 wont give you different hashes. The hash generated will be the same no matter how many times you refresh your browser (well, given the same string, of course).

phpprogrammer

Dear Frined,

plz increase the size of you database filed make it 80 varchar because when you are creating the md5 of the password it is generating a string length more than 32 characters(you designed the database), so it is omitting the remaining characters

when the user again logins it is checking with the total characters with the 32characters , and giving not a valid user

plz increase the size of the field to 80 or 100

regards
bvsureshbabu

weekender

no point - md5 always creates a 32 character hash

Mr_Mako

Well, I did have it increased to a larger size. That didn't make any difference.

And ya, I had always thought that md5 would never give you a different hash. But in my case, it's doing it... and I can't answer as to why.

I put in the same password, and the test page gives me one result (always the same), and the production logon page gives me a completely different result (always the same).

Now... granted... the test and the logon pages are different pages altogether... they are not running a linked, or included, file to run the hash. The md5 code is written in to each page independently.

Unless something's being added to the logon entry during the hash to make it different than "1234", I have no clue how this is happening... and I can't see anything in my code that would be adding something to the hash to make it different.

swr

Is it possible that you had whitespace before/after one of them? Or a line ending? Could the value have been undefined? If it was not simply "1234", could magic_quotes_gpc have added slashes to one but not the other?

For reference:
The MD5 for 1234 (with no spaces or newlines) is 81dc9bdb52d04dc20036dbd8313ed055.
The MD5 for a zero-length string is d41d8cd98f00b204e9800998ecf8427e.

Do check for the d41d8cd9... one, as that could happen if you mistyped a variable name but don't have error_reporting(E_ALL) set. Better yet, set error_reporting(E_ALL) and check for notices.