checking a md5 password?

Dakkar

I tried to write a php script for checking if the entered password is true in md5 form so i wrote something like this but it didnt work

$md = md5($pass);
$query = mysql_query("select acct_username from pvp.bnet where acct_username='$u_name' and acct_passhash1='$md'");
$num_row = mysql_num_rows($query);

if ($num_row > 0) {
...................
.................

how should i fix that?

jonno946

why doesnt it work?

what you've put looks ok to me?

Dakkar

I dont know too but it isnt working

Dakkar

when i make $md = md5($pass) its giving a different value from the password in database(a.k.a md5 policy) so
the password in the database and $md cannot be equal to each other there must be another way to make this work(maybe another function)
does anyone know anythin about that?

Weedpacket

How are you hashing the password for insertion into the database? If you're using MySQL's MD5() function then you may be running into one of MySQL's many wacky and non-standard conventions about handling string fields - so that PHP and MySQL end up hashing different strings. The solution here is to be consistent and use MySQL's or PHP's - one or the other (I'd prefer PHP).

If the above is not the case, then it would appear that $pass does not contain the value it should. Have you looked to see what it does contain, and is it correct?

Dakkar

I'm using php's md5 function but it still doesnt work and i think its because everytime md5 function provides different results for same value but I'm not so sure.
So here is my hole script

<?
include("config.php");

$md = md5($pass);
$query = mysql_query("select acct_username from pvp.bnet where acct_username='$u_name' and acct_passhash1='$md'");
$num_row = mysql_num_rows($query);


$sorgu = mysql_query("select id from pvp.scclan where clanname='$clan'");
$sorgu_sayi = mysql_num_rows($sorgu);

$yeninick = "$clan$u_name";

if ($num_row > 0 && $sorgu_sayi == 0) {
	mysql_query("insert into pvp.bnet set acct_username='$yeninick',clan='$clan'");
	mysql_query("insert into pvp.scclan set clanname='$clan' baskan='$u_name'");
	echo "$clan clan inserted to database<br>";
}
else {
	echo "Password is wrong or there is already a clan named $clan<br>";
}


?>

Weedpacket

Originally posted by Dakkar
I'm using php's md5 function but it still doesnt work and i think its because everytime md5 function provides different results for same value but I'm not so sure.

While it's possible you've got a broken PHP build with a buggy implementation of MD5, if it's returning different hashes is more likely to be because you're passing it different strings. Like I said, have you checked them?

laserlight

Read section "A.5 Test suite" of [url=ftp://ftp.rfc-editor.org/in-notes/rfc1321.txt]RFC 1321: The MD5 Message-Digest Algorithm[/url], and test out for the sample results to see if your own matches those given.

Installer

You may have white space in "$pass", especially if it's from a post or get variable. Try using "trim()" on it.

Dakkar

Originally posted by laserlight
Read section "A.5 Test suite" of [url=ftp://ftp.rfc-editor.org/in-notes/rfc1321.txt]RFC 1321: The MD5 Message-Digest Algorithm[/url], and test out for the sample results to see if your own matches those given.

In this example it says abc=900150983cd24fb0d6963f7d28e17f72

but in my server it equals to
c0dbd868267501af97e119f4ffaef643

and im using php 4.3.10

what can be the problem?

Cam_Turn

I've got a better idea: ditch the md5 function altogether and usecrypt.

An example:

<?php
$password = "somepassword";
$passwordThatSomeoneEntered = "somepassword";

$password = crypt($password);
if(crypt($passwordThatSomeoneEntered, $password) == $password)
{
// do something if the passwords match
}
else
{
// do something if the passwords don't match
};
?>

And here's another function that I found on the PHP.net comments board (apparently it's simple but effective as long as the password stays hidden):

<?php

?>

Sorry, I can't find it just now (it was there yesterday!)

Weedpacket

Originally posted by Cam.Turn
I've got a better idea: ditch the md5 function altogether and usecrypt.

No point suggesting that if the variable is getting corrupted (which is what looks to be the case).

Weedpacket

Originally posted by Dakkar
In this example it says abc=900150983cd24fb0d6963f7d28e17f72

but in my server it equals to
c0dbd868267501af97e119f4ffaef643

and im using php 4.3.10

what can be the problem?

And what is it before you use MD5? md5('abc') returns the RFC1321 value (as it should). So what are you passing it?

echo $pass;
$md = md5($pass);