[PHP] Escaping MySQL passwords necessary when md5 is used?
I have an application in which the password is stored in the database as md5(md5('passWord').'userSpecificSalt'). I'm checking the password entered with: $password=md5( md5('$_POST['password']').'userSpecificSalt' ); $query=SELECT id FROM table WHERE password='{$password}'; Now I'm a bit queasy about not using mysql_real_escape_string() on that $password variable! Please reassure me or tell me the folly of my ways. Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 13:53, Dotan Cohen dotanco...@gmail.com wrote: I have an application in which the password is stored in the database as md5(md5('passWord').'userSpecificSalt'). I'm checking the password entered with: $password=md5( md5('$_POST['password']').'userSpecificSalt' ); $query=SELECT id FROM table WHERE password='{$password}'; Now I'm a bit queasy about not using mysql_real_escape_string() on that $password variable! Please reassure me or tell me the folly of my ways. Thanks! It never hurts to be overly cautious, but as MD5 hashes are strictly alphanumeric (using hex characters), you won't have an issue with injection with the code above. That is, of course, unless your version of PHP is rebuilt without MD5 hash support, or some other oddity that is on the outside edge of possibility. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
If you're converting the input data in a md5 hash has no reason to scape it. Regards, Igor Escobar *Software Engineer * + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar http://www.twitter.com/igorescobar On Wed, Sep 21, 2011 at 2:53 PM, Dotan Cohen dotanco...@gmail.com wrote: I have an application in which the password is stored in the database as md5(md5('passWord').'userSpecificSalt'). I'm checking the password entered with: $password=md5( md5('$_POST['password']').'userSpecificSalt' ); $query=SELECT id FROM table WHERE password='{$password}'; Now I'm a bit queasy about not using mysql_real_escape_string() on that $password variable! Please reassure me or tell me the folly of my ways. Thanks! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 21:03, Daniel Brown danbr...@php.net wrote: It never hurts to be overly cautious, but as MD5 hashes are strictly alphanumeric (using hex characters), you won't have an issue with injection with the code above. That is, of course, unless your version of PHP is rebuilt without MD5 hash support, or some other oddity that is on the outside edge of possibility. The rebuild without md5 is an interesting point. That sounds exactly like the type of it-will-never-happen-until-it-happens-to-me problems! Thanks for the heads up. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
Thanks Igor. I will sleep peacefully this night! -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 15:32, Dotan Cohen dotanco...@gmail.com wrote: The rebuild without md5 is an interesting point. That sounds exactly like the type of it-will-never-happen-until-it-happens-to-me problems! Thanks for the heads up. I should've specified, though, that then you would simply have the fatal error message (call to undefined function) pass through, not the unhashed original text. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping MySQL passwords necessary when md5 is used?
On Wed, Sep 21, 2011 at 22:36, Daniel Brown danbr...@php.net wrote: I should've specified, though, that then you would simply have the fatal error message (call to undefined function) pass through, not the unhashed original text. Yes, that is obvious. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php