Jump to content

PHP, MySQL, and MD5


ThePsion5
 Share

Recommended Posts

Hi Guys,I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance!-Sean

Link to comment
Share on other sites

Ok, I took a look at the article and decided to use a method similar to this one to encrypt the password client-side:

function hash_password(){var username = document.getElementByID('username');var password = document.getElementByID('password');var securePass = md5(password.value+username.value);document.getElementById('password').value = securePass;}

Calling this function on submit should encrypt the password with a salt unique to each user before sending it to the server. But this raises another problem - since the javascript password encryption is client-side, can't a potential attacker instantly gain the salt just by viewing the login page's source code?

Link to comment
Share on other sites

Oh i didnt know that you are going to use client side scripting (javascript), then i guess its not gonna work, but anything you do on the client side can be viewed by the user, so its better you do it with PHP. there was a discussion in our forum abt ways to hide javascript code from the client, you may get a idea from it.

Link to comment
Share on other sites

The article you mentioned used client-side scripting...I suppose there's no way around that if I want the password encrypted before it even hits the server, lol. It's just a possibility I've been considering. I also like the idea of using a timestamp as a salt and then checking to make sure no more than x seconds have elapsed, but that might be complex as well. Thanks for the help though :) -Sean

Link to comment
Share on other sites

Thats wierd, the article i provided seems to have the code in php.. how come i dont see any javascriptThis is the code in that article...<?php// ... do some form handling, like validation, filtering, etc$password = $_POST['password'];// Generate a random salt$salt = substr(md5(uniqid(rand(), true)), 0, 5);// Hash password$secure_password = md5($salt . md5($password));// Store password AND hash in database// ...?><?php// ... do some form handling, like validation, filtering, etc$username = $_POST['username'];$password = $_POST['password'];// Get user from database$user = getUser($username);// Compare passwordif ($user->password != md5($user->salt . md5($password))) { die ('Wrong username or password!');}// ... user entered correct password, do something?>

Link to comment
Share on other sites

Hashing is the best way to encrypt the password, as it cannot be reversed. Salt is nothing but to make the input for hashing a little different.Say if 2 ppl give the same password then it will generate the same hash value, this gives a chance for attack. but when you add "salt" to the password then the input for hashing will be different and so the hash o/p will be different even if the password may be same, but this process needs salt to be stored in the DB for future login verfication. MD5 and SHA1 are two of that hashing algorithms, abd SHA1 is considered a little more secure..I think hashing alone will do, but if you need higher security then use salt technique.HTH

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...