Encoding and decoding md5 hashes to mySQL user table

stylez

I am trying to create a workorder database for my work and I'm currently starting on the admin portion of the system. I plan to have an include file that has the localhost,user,pass encoded with md5 hash and have the calling program use that to connect to the database. Once successful, on the web form I will be able to add users with default passwords and encrypt both login/pass with md5 has. I wanted to know whats the best way to have the program actually accept the md5 hah versus generic string as the follwing:

$db = array(
'hostname' => 'localhost',
'username' => 'testuser',
'password' => 'blahblah',
'database' => 'mydata',
);

To something like :

$db = array(
'hostname' => 'md5 hash',
'username' => 'md5 hash',
'password' => 'md5 hash',
'database' => 'md5 hash',
);

I've worked with mySQL just recently so I have good feel for it. Same with php. If anyone would have suggestions on good security along with sample code I can play with that would be very helpful. Thank you very much for your time.

bradgrafelman

In other words, you'd like the encode the configuration data in your PHP script so that prying eyes with notepad/pico can't take a peek at your DB info?

I myself have pondered this question before. I never did find a way to go about it. I don't even know if it's possible. First of all, you can't encode EVERYTHING; how would the MySQL know what your username is? Use md5() on every username in the privilege table to find one that matches your hash?

That wouldn't work, because first PHP would have to break your MD5 hash to even find out the hostname to connect to. While this may be possible using some algorithm, I'm sure it would take any number of days/weeks/months/years just to decode one hash depending on length.

Now, in theory you could encode just the password, and tell the MySQL server to compare the password for 'username' without calculating the MD5 hash of the given password (since you've already given it a hash). How exactly you would do this, I'm not sure.

Like I said, I don't even know if this is possible.

stylez

Yea, I just wanted to be as secure as possible. I wasn't sure how this could be done either, but originally I was just going to have connect.php in another directory that only the webserv has access to and not the public. Is this the best method to keep the system secure? Also if you have users that are added to the db, I believe mySQL uses md5 as their hash algo. Do I need any special function to compare the hash ? Or would I include the hash as a string 'md5has' ? Thanks.

bradgrafelman

Your method of hiding the script would be the best, yes.

And no, you just pass the normal password to the MySQL server and it compares it internally.