php-general Digest 22 Sep 2011 11:55:38 -0000 Issue 7490
Topics (messages 314969 through 314976):
Escaping MySQL passwords necessary when md5 is used?
314969 by: Dotan Cohen
314970 by: Daniel Brown
314971 by: Igor Escobar
314972 by: Dotan Cohen
314973 by: Dotan Cohen
314974 by: Daniel Brown
314975 by: Dotan Cohen
How can I check for characters in a $_POST[] variable?
314976 by: Eric
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
I have an application in which the password is stored in the database
as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
entered with:
$password=md5( md5('$_POST['password']').'userSpecificSalt' );
$query="SELECT id FROM table WHERE password='{$password}'";
Now I'm a bit queasy about not using mysql_real_escape_string() on
that $password variable! Please reassure me or tell me the folly of my
ways. Thanks!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--- End Message ---
--- Begin Message ---
On Wed, Sep 21, 2011 at 13:53, Dotan Cohen <[email protected]> wrote:
> I have an application in which the password is stored in the database
> as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
> entered with:
> $password=md5( md5('$_POST['password']').'userSpecificSalt' );
> $query="SELECT id FROM table WHERE password='{$password}'";
>
> Now I'm a bit queasy about not using mysql_real_escape_string() on
> that $password variable! Please reassure me or tell me the folly of my
> ways. Thanks!
It never hurts to be overly cautious, but as MD5 hashes are
strictly alphanumeric (using hex characters), you won't have an issue
with injection with the code above. That is, of course, unless your
version of PHP is rebuilt without MD5 hash support, or some other
oddity that is on the outside edge of possibility.
--
</Daniel P. Brown>
Network Infrastructure Manager
http://www.php.net/
--- End Message ---
--- Begin Message ---
If you're converting the input data in a md5 hash has no reason to scape it.
Regards,
Igor Escobar
*Software Engineer
*
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar <http://www.twitter.com/igorescobar>
On Wed, Sep 21, 2011 at 2:53 PM, Dotan Cohen <[email protected]> wrote:
> I have an application in which the password is stored in the database
> as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
> entered with:
> $password=md5( md5('$_POST['password']').'userSpecificSalt' );
> $query="SELECT id FROM table WHERE password='{$password}'";
>
> Now I'm a bit queasy about not using mysql_real_escape_string() on
> that $password variable! Please reassure me or tell me the folly of my
> ways. Thanks!
>
> --
> Dotan Cohen
>
> http://gibberish.co.il
> http://what-is-what.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Wed, Sep 21, 2011 at 21:03, Daniel Brown <[email protected]> wrote:
> It never hurts to be overly cautious, but as MD5 hashes are
> strictly alphanumeric (using hex characters), you won't have an issue
> with injection with the code above. That is, of course, unless your
> version of PHP is rebuilt without MD5 hash support, or some other
> oddity that is on the outside edge of possibility.
>
The rebuild without md5 is an interesting point. That sounds exactly
like the type of it-will-never-happen-until-it-happens-to-me problems!
Thanks for the heads up.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--- End Message ---
--- Begin Message ---
Thanks Igor. I will sleep peacefully this night!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--- End Message ---
--- Begin Message ---
On Wed, Sep 21, 2011 at 15:32, Dotan Cohen <[email protected]> wrote:
>
> The rebuild without md5 is an interesting point. That sounds exactly
> like the type of it-will-never-happen-until-it-happens-to-me problems!
> Thanks for the heads up.
I should've specified, though, that then you would simply have the
fatal error message (call to undefined function) pass through, not the
unhashed original text.
--
</Daniel P. Brown>
Network Infrastructure Manager
http://www.php.net/
--- End Message ---
--- Begin Message ---
On Wed, Sep 21, 2011 at 22:36, Daniel Brown <[email protected]> wrote:
> I should've specified, though, that then you would simply have the
> fatal error message (call to undefined function) pass through, not the
> unhashed original text.
>
Yes, that is obvious.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--- End Message ---
--- Begin Message ---
I have this problem when using php because my computer recognizes
the characters "." and ".." as an existing file when I use file_exists. Also
I want to check $_POST["username"] for characters other then A-Z a-z and 0-9.
If it contains anything other then, I would like to prompt the user but
I can't seam to use foreach properly and I don't know how to itterate
through the post variable with a for loop while loop or do while loop.
--- End Message ---
