why hashed password values are different?

scorpioy

I have a sign up page for making the registration. Here is some code inside:

else if($key == "password")
{
$pwd=md5($val);
}
else if($key == "password")
{
$pwd2=md5($val);
}

After checking passwords are the same in two fields, I store the user name and its password to a table in mysql, and I can see it's added in. For example, after one user is registered, the password value is f1c1592588411002af34.

In my login page, when I want to check user name and password, it's not working properly. Again I use md5() to convert the password: $passw = md5($_POST['pwd']); but it seems not given the same value. I did print checking: echo "> $passw <";
Then, the page displays '> f1c1592588411002af340cbaedd6fc33 Login'

The first 20 charactors are the same, but hashed values are much longer in my login page. I don't know where did that 'Login' string come from. Moreover, the charactor '<' did not get displayed.

Could someone explain why it is like this? Did I use md5() or something else wrong?

Thanks.

Mordecai

Hmm... are you using PHP's md5() function or MySQL's MD5()? If the latter, this might be a good document to check out. If the former, however, I'm not really sure.

scorpioy

Sorry, it's my fault. The reason that only first 20 charactors are the same is because I set only 20 bytes long in the password field of the member table, but md5() produces 32-byte long charactors. So that problem is fixed now.

I still don't know where to put md5() means it's PHP's md5() function and where is for the MySQL's md5().

I'm also wondering if I use cookie for storing user name and password, then if the user changes password, where and how should I update the setting in the cookie?

Thanks in advance.

drawmack

This code uses php's md5 function:

$pw_hash = md5($password);
$sql = "INSERT INTO users (username,pswrd) VALUES (\"$username\",\"$pw_hash\")";
mysql_query($sql);

This code uses mysql's md5 function:

$sql  = "INSERT INTO users (username,pswrd) VALUES ";
$sql .= "(\"$username\",md5(\"$password\")";
mysql_query($sql);

Notice that in the first code I hashed the password outside of the query and then inserted the already hashed password, whereas in the second code I placed the call to md5() inside of the query with the plaintext password as the arguement.

Which one you should use depends on many things. First is security. If you send the password to the database server as plaintext and the database server is a physically different machine then the webserver you are sending the password across the network and someone could grab the password and username intransit. However whichever server does the hashing is taking a pretty big hit on performance so it may be better from this standpoint to allow the db server to handle the hashing. It's a trade off really and you're site's probably not important enough to the world at large for security to be a HUGE priority.

lkfaclkhvpjs

gkcuvkbglmozvqchpowpopuwppb, <a href="http://theprofitspy-reviews.net/">Amazon Coupons</a>, mlsnxwgck, Amazon Discount, tUYfsgdpz, http://theprofitspy-reviews.net/ Amazon Discount Coupons, kbXnolivv, <a href="http://thesimplegolfswing-scam.net/">Amazon Gift Card</a>, noQoxLbVL, Amazon Discounts, SdPTCfrZl, http://thesimplegolfswing-scam.net/ Amazon Deals, NIzqDtYsZ, <a href="http://themagicofmakingup-scam.net/">Amazon Coupon</a>, bgCdzDZPO, Amazon Discount Code, BJIrIbpJm, http://themagicofmakingup-scam.net/ Amazon Discount Codes, zgRmnvwvg, <a href="http://thesixfigurecode-reviews.net>Amazon Christmas</a>, zOevSlwbh, Amazon Christmas Presents, BKUnXghkE, http://thesixfigurecode-reviews.net/ Amazon Christmas Deals, YuUwNVUqj, <a href="http://whitehatcopycat2-reviews.net/">Amazon Gifts</a>, pEXWwokhl, Amazon Christmas Ideas, RLUEVFZCz, http://whitehatcopycat2-reviews.net/ Amazon Cheap Deals,XsOsxdyKR, <a href="http://camping-cote-atlantique.com/">Amazon Deal of the Day</a>, DeOniisLU, Amazon Deals of the Day, EflawtDnd, http://camping-cote-atlantique.com/ Amazon Shopping Ideas, CqBOdsBSb.