[PHP-DB] Rand() Emulation
Im trying to figure out a way to emulate mysql's RAND() function to be cross database compatible via php. Has anyone done anything similar to this??? Thanks -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Image upload get file dimensions
Or use getimagesize() -- - Cristian MARIN - Developer InterAKT Online (www.interakt.ro) Tel: +4021 312.53.12 Tel/Fax: +4021 312.51.91 [EMAIL PROTECTED] Chris Payne [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi there everyone, In short, I use the following to upload an image to the server: $max_size = 40; if (is_uploaded_file($userfile)) { all works great, but what I want to do is store the file details in my MySQL DB, how can I easily find out the image width and height etc from the uploaded image so that I can store this information in the DB? Thanks for your help everyone :-) Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Rand() Emulation
Im trying to figure out a way to emulate mysql's RAND() function to be cross database compatible via php. Has anyone done anything similar to this??? How about PHP's rand() function? http://us2.php.net/manual/en/function.rand.php Edward Dudlik Becoming Digital www.becomingdigital.com Did I help you? Want to show your thanks? www.amazon.com/o/registry/EGDXEBBWTYUU - Original Message - From: Gerard Samuel [EMAIL PROTECTED] To: PHP-DB [EMAIL PROTECTED] Sent: Tuesday, 24 June, 2003 02:56 Subject: [PHP-DB] Rand() Emulation Im trying to figure out a way to emulate mysql's RAND() function to be cross database compatible via php. Has anyone done anything similar to this??? Thanks -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: Image upload get file dimensions
This was the first post and then followed by the second. Sorry about the incovenience. This question is more or less a db question. Whatever. Use imagesx() for the with and imagesy() for height. Please refer to the manual: http://www.php.net/manual/en/function.imagesx.php http://www.php.net/manual/en/function.imagesy.php -- - Cristian MARIN - Developer InterAKT Online (www.interakt.ro) Tel: +4021 312.53.12 Tel/Fax: +4021 312.51.91 [EMAIL PROTECTED] Chris Payne [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi there everyone, In short, I use the following to upload an image to the server: $max_size = 40; if (is_uploaded_file($userfile)) { all works great, but what I want to do is store the file details in my MySQL DB, how can I easily find out the image width and height etc from the uploaded image so that I can store this information in the DB? Thanks for your help everyone :-) Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Getting data on last INSERTed row
Hi all! I'm wondering if there's an easy and non-system-demanding way to get data on an INSERTed row in PHP/MySQL? Specifically, I want the value of an auto-incremented primary key cell, uid. I'm INSERTing a new person into a table, and need to return this value to a Javascript function that maintains an array of all persons in this table. I want to avoid a full SELECT query that would rebuild the array from scratch and put unnessecary load on the SQL server. I first thought of mysql_affected_rows, but as far as I can read, it only returns the value of rows affected, i.e. 1 on any INSERT statement executed? Any ideas? Thank you, Daniel -- There are 10 kinds of people: Those who know binary and those who don't. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Getting data on last INSERTed row
On Tuesday 24 June 2003 19:37, Daniel wrote: I'm wondering if there's an easy and non-system-demanding way to get data on an INSERTed row in PHP/MySQL? Specifically, I want the value of an auto-incremented primary key cell, uid. I'm INSERTing a new person into a table, and need to return this value to a Javascript function that maintains an array of all persons in this table. I want to avoid a full SELECT query that would rebuild the array from scratch and put unnessecary load on the SQL server. I first thought of mysql_affected_rows, but as far as I can read, it only returns the value of rows affected, i.e. 1 on any INSERT statement executed? Any ideas? Yeah, did it ever cross your mind to read the manual? mysql_insert_id() -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Getting data on last INSERTed row
Well, to tell you the truth, I thought I did. I may be a newbie and perhaps a little daft, so please excuse me if I ask stupid questions. Apart from that, thank you for your help. Jason Wong [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Tuesday 24 June 2003 19:37, Daniel wrote: I'm wondering if there's an easy and non-system-demanding way to get data on an INSERTed row in PHP/MySQL? Specifically, I want the value of an auto-incremented primary key cell, uid. I'm INSERTing a new person into a table, and need to return this value to a Javascript function that maintains an array of all persons in this table. I want to avoid a full SELECT query that would rebuild the array from scratch and put unnessecary load on the SQL server. I first thought of mysql_affected_rows, but as far as I can read, it only returns the value of rows affected, i.e. 1 on any INSERT statement executed? Any ideas? Yeah, did it ever cross your mind to read the manual? mysql_insert_id() -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] mysql_error problem
I am using the below function (error_db) witch is called thus:- function query_db( $sql, $db ) { $result = mysql_query( $sql, $db ) or error_db( $sql, $db ); return $result; } But $sqlerr is always blank (it is set with '$sqlerr = mysql_error( $db );'). Any idea why? Ben function error_db( $sql, $db ) { global $SERVER_NAME; global $SCRIPT_NAME; table_top( Database Error ); table_middle(); $sqlerr = mysql_error( $db ); echo bSQL:/b:BR$sqlbrbError:/bBR$sqlerr; table_bottom(); // Clost of table/html from calling script table_bottom(); html_footer(); // Send error via email $msg = Database error has accured on $SERVER_NAME\n\n.. The error message is :-\n\n. SQL:$sql\n\nError:$sqlerr\n\n. This message was . generated by '$SERVER_NAME$SCRIPT_NAME'; $subj = Database error from $SERVER_NAME; // Hard coded to minimize chance of this module erroring $to = [EMAIL PROTECTED]; $from = From: .$to; mail( $to, $subj, $msg, $from ); die(); } * Ben Edwards Tel +44 (0)1179 553 551 ICQ 42000477 * * Homepage - nothing of interest here http://gurtlush.org.uk * * Webhosting for the masses http://www.serverone.co.uk * * Critical Site Builderhttp://www.criticaldistribution.com * * online collaborative web authoring content management system * * Get alt news/views films online http://www.cultureshop.org * * i-Contact Progressive Video http://www.videonetwork.org * * Fun corporate graphics http://www.subvertise.org * * Bristol Indymedia http://bristol.indymedia.org * * Bristol's radical news http://www.bristle.org.uk * -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] POSTing page
If someone POSTs information - using action=yourpage from theirpage (using a copy of the form on yourpage - can you tell where what theirpage is, ie where the information was POSTed from? John http://www.cantor.com CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Copyright and any other intellectual property rights in its contents are the sole property of Cantor Fitzgerald. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). For further important information, please read the Important Legal Information and Legal Statement at http://www.cantor.com/legal_information.html -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Getting data on last INSERTed row
Daniel, good luck in your endeavor, next time, just filter those with attitudes out. Many people on this list are very helpful. A few are not. I had a complete lose the attitude speech written out, but I think I'll just let you figure it out. Thanks for making this the great list it is Jason! removes self ___ Ryan Marrs Web Developer Sandler Travis Trade Advisory Services, Inc. 248.474.7200 x 183 248.474.8500 (fax) www.strtrade.com -Original Message- From: Jason Wong [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 7:43 AM To: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Getting data on last INSERTed row On Tuesday 24 June 2003 19:37, Daniel wrote: I'm wondering if there's an easy and non-system-demanding way to get data on an INSERTed row in PHP/MySQL? Specifically, I want the value of an auto-incremented primary key cell, uid. I'm INSERTing a new person into a table, and need to return this value to a Javascript function that maintains an array of all persons in this table. I want to avoid a full SELECT query that would rebuild the array from scratch and put unnessecary load on the SQL server. I first thought of mysql_affected_rows, but as far as I can read, it only returns the value of rows affected, i.e. 1 on any INSERT statement executed? Any ideas? Yeah, did it ever cross your mind to read the manual? mysql_insert_id() -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] POSTing page
Not quite sure of all of your requirements, but check out $_SERVER['HTTP_REFERER'] at the following location: http://www.php.net/manual/en/reserved.variables.php Make sure you read the notes on the variable because it might not work every single time. Hope this helps. Rich -Original Message- From: Dillon, John [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 8:23 AM To: '[EMAIL PROTECTED]' Subject: [PHP-DB] POSTing page If someone POSTs information - using action=yourpage from theirpage (using a copy of the form on yourpage - can you tell where what theirpage is, ie where the information was POSTed from? John http://www.cantor.com CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Copyright and any other intellectual property rights in its contents are the sole property of Cantor Fitzgerald. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). For further important information, please read the Important Legal Information and Legal Statement at http://www.cantor.com/legal_information.html -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] md5 question!
Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Getting data on last INSERTed row
Thank you, Ryan =) Ryan Marrs [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Daniel, good luck in your endeavor, next time, just filter those with attitudes out. Many people on this list are very helpful. A few are not. I had a complete lose the attitude speech written out, but I think I'll just let you figure it out. Thanks for making this the great list it is Jason! removes self ___ Ryan Marrs Web Developer Sandler Travis Trade Advisory Services, Inc. 248.474.7200 x 183 248.474.8500 (fax) www.strtrade.com -Original Message- From: Jason Wong [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 7:43 AM To: [EMAIL PROTECTED] Subject: Re: [PHP-DB] Getting data on last INSERTed row On Tuesday 24 June 2003 19:37, Daniel wrote: I'm wondering if there's an easy and non-system-demanding way to get data on an INSERTed row in PHP/MySQL? Specifically, I want the value of an auto-incremented primary key cell, uid. I'm INSERTing a new person into a table, and need to return this value to a Javascript function that maintains an array of all persons in this table. I want to avoid a full SELECT query that would rebuild the array from scratch and put unnessecary load on the SQL server. I first thought of mysql_affected_rows, but as far as I can read, it only returns the value of rows affected, i.e. 1 on any INSERT statement executed? Any ideas? Yeah, did it ever cross your mind to read the manual? mysql_insert_id() -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] POSTing page
Read this first about the http_referer http://www.datatrendsoftware.com/spoof.html -- - Cristian MARIN - Developer InterAKT Online (www.interakt.ro) Tel: +4021 312.53.12 Tel/Fax: +4021 312.51.91 [EMAIL PROTECTED] Richard Hutchins [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Not quite sure of all of your requirements, but check out $_SERVER['HTTP_REFERER'] at the following location: http://www.php.net/manual/en/reserved.variables.php Make sure you read the notes on the variable because it might not work every single time. Hope this helps. Rich -Original Message- From: Dillon, John [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 8:23 AM To: '[EMAIL PROTECTED]' Subject: [PHP-DB] POSTing page If someone POSTs information - using action=yourpage from theirpage (using a copy of the form on yourpage - can you tell where what theirpage is, ie where the information was POSTed from? John http://www.cantor.com CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Copyright and any other intellectual property rights in its contents are the sole property of Cantor Fitzgerald. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). For further important information, please read the Important Legal Information and Legal Statement at http://www.cantor.com/legal_information.html -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] extract( $HTTP_POST_VARS ); ------------ what does this do?
I'm wanting to overwrite the variables contained in a session, I read on the net somewhere that I could do this by explicitely making variables global, the code I looked at contained this: extract( $HTTP_POST_VARS ); What exactly does this do? Cheers, Graeme :) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
no. we added to old 'password' question to one of the sites I did for this reason. When the client registered, they picked a question, ssn, mother's maiden name, dog's name, etc and entered an answer. That way if they lost their password, they could go to a 'lost password' area, enter their username, select and answer their question. they were then logged in and could change their password. of course Marco's suggestions is good also, that way you can confirm you are speaking to the actual user before you change their password. Eddie -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP-DB] md5 question! Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:08, JeRRy wrote: I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Well, that's not necessarily true. Take something as simple as an integer division. Say that in order calculate your hash you divide any number by 3 and discard the remainder. The result '4' could mean that your original number could be anywhere between 12 and 14, for example, so that even if you know that method that was used to calculate the hash you couldn't determine the original password from it. md5 works on a similar basis, although a bit (but not that much) more complicated. So you see, it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
This is waaay over my head, but if any of you are interested: http://www.faqs.org/rfcs/rfc1321 I just read it and have come to the conclusion that MD5 is a small, British sports car ;^) Rich -Original Message- From: Marco Tabini [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:30 AM To: JeRRy Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! On Tue, 2003-06-24 at 09:08, JeRRy wrote: I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Well, that's not necessarily true. Take something as simple as an integer division. Say that in order calculate your hash you divide any number by 3 and discard the remainder. The result '4' could mean that your original number could be anywhere between 12 and 14, for example, so that even if you know that method that was used to calculate the hash you couldn't determine the original password from it. md5 works on a similar basis, although a bit (but not that much) more complicated. So you see, it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Hi, Hmmm okay... So if the passowrd was. jerry and the md5 output was SKHDJHDJDHJDHSfdfs and another user sets their passowrd to the same as mine does that mean the md5 output would be identical to the last as the same password is entered? e.g. User 1: Username: Fred Password: jerry User 2: Username: notfred Password: jerry Or is each entry unique ? I'm thinking if each entry was unique than reversing the md5 action could be inconclusive. But if the output is the same if the same password is entered than sure it's reliable. But I could be barking up the wrong tree all together here, so correct me if I am wrong. I have not used md5 before so learning on that behalf. Jerry --- [EMAIL PROTECTED] wrote: Just use brute force... Example: md5('password') will ALWAYS produce the same output! So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB then I could just say: if (strcmp (md5('password'), SKHGDOIUYFB) == 0) printf(Your password is: %s\n, password); So, just start a loop going through all possible combinations od legal password character and encrypt with md5, then compare. Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming out you'd be surprised how quickly one could loop through billlions of possible password combinations. Enter distributed environments and it is much fatser. The key is not to rely on passwords but to rely on other system security messures, use SSL, so it is hard to intercept in the first place, make sure your system is secure so these passwords cannot be extracted from your DB without you knowing about it, etc... Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
md5 returns a 32 char hexdec string. I'm not sure where you get an 11 char alpha string from md5... Since the MD5 is 32 chars in length, with 36 possibilities for each char, that leaves us with 36^32, or 63340286662973277706162286946811886609896461828096 or 63,340,286,662,973,276,904,018,768,749,012,366,609,829,142,200,320 after using number_format. What is that? A little more than the billions of possibilities you suggest would exist... Hmmm, that's 63 quindecillion, or like 63 * 10^48. Ouch. I think even with 3+ Ghz processors you might have to wait a few years. Months? Maybe distributed, but doubtful. Given that it took 4 years to go through 15,769,938,165,961,326,592 keys (out of a possible 18,446,744,073,709,551,616) to break 64 bit RSA encryption. Thats 18 * 10^18 total possible keys. That's a lot less than 63 * 10^48 and it took 4 years and 331,000 computers. http://www.pcw.co.uk/News/1135452 From the PHP manual: http://php.net/md5 Calculates the MD5 hash of str using the RSA Data Security, Inc. MD5 Message-Digest Algorithm, and returns that hash. The hash is a 32-character hexadecimal number. If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16. Beckman On Tue, 24 Jun 2003 [EMAIL PROTECTED] wrote: Just use brute force... Example: md5('password') will ALWAYS produce the same output! So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB then I could just say: if (strcmp (md5('password'), SKHGDOIUYFB) == 0) printf(Your password is: %s\n, password); So, just start a loop going through all possible combinations od legal password character and encrypt with md5, then compare. Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming out you'd be surprised how quickly one could loop through billlions of possible password combinations. Enter distributed environments and it is much fatser. The key is not to rely on passwords but to rely on other system security messures, use SSL, so it is hard to intercept in the first place, make sure your system is secure so these passwords cannot be extracted from your DB without you knowing about it, etc... Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco, Okay I just replied to another post asking if md5 outputs a different output if the same password was entered by more than 1 user. I think the answer to that is explained by you below. If true, if more than 1 user had an identical password to another the md5 output would be unique for each user. So a different md5 output even though the same password. Because if: snip it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) /snip ... is true than a different md5 output must be outputed for each password even if it's the same as another. Because if it was the same md5 output it would than be possible to reverse the md5 back to plain text? Well I woudl think so, because it's the same. I just recieved an email to my inbox saying there is a way to reverse it. So I really have no idea what to think, instead I'm going to give the examples I have recieved a go and see what happens. Thanks everyone for your help/feedback/ideas and code on this subject, it's been overwhelming. Very much appreciated. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: On Tue, 2003-06-24 at 09:08, JeRRy wrote: I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Well, that's not necessarily true. Take something as simple as an integer division. Say that in order calculate your hash you divide any number by 3 and discard the remainder. The result '4' could mean that your original number could be anywhere between 12 and 14, for example, so that even if you know that method that was used to calculate the hash you couldn't determine the original password from it. md5 works on a similar basis, although a bit (but not that much) more complicated. So you see, it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
They would be the same, they have to be. If you can de-crypt it, there has to be some method of validation. So, if someone choose the same password as you did, and you stored those in a DB as encrypted with md5, then they would look identical. So, you would know the other person's password. Hi, Hmmm okay... So if the passowrd was. jerry and the md5 output was SKHDJHDJDHJDHSfdfs and another user sets their passowrd to the same as mine does that mean the md5 output would be identical to the last as the same password is entered? e.g. User 1: Username: Fred Password: jerry User 2: Username: notfred Password: jerry Or is each entry unique ? I'm thinking if each entry was unique than reversing the md5 action could be inconclusive. But if the output is the same if the same password is entered than sure it's reliable. But I could be barking up the wrong tree all together here, so correct me if I am wrong. I have not used md5 before so learning on that behalf. Jerry --- [EMAIL PROTECTED] wrote: Just use brute force... Example: md5('password') will ALWAYS produce the same output! So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB then I could just say: if (strcmp (md5('password'), SKHGDOIUYFB) == 0) printf(Your password is: %s\n, password); So, just start a loop going through all possible combinations od legal password character and encrypt with md5, then compare. Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming out you'd be surprised how quickly one could loop through billlions of possible password combinations. Enter distributed environments and it is much fatser. The key is not to rely on passwords but to rely on other system security messures, use SSL, so it is hard to intercept in the first place, make sure your system is secure so these passwords cannot be extracted from your DB without you knowing about it, etc... Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:36, JeRRy wrote: Hi, Hmmm okay... So if the passowrd was. [snip] There are ways to avoid this. Typically, you can add a random token (or a salt) to the password before you calculate its checksum. This way, two users with the same password will have two different hashes. However, a brute-force approach as the one suggested is *not* quite as simple and powerful as it looks. assuming that there are even just 62 valid characters for the password (uppercase+lowercase+digits) to go over passwords as short as five characters you'd have to do 380,204,032 iterations. Add one more digit and you're already up to 19,770,609,664. Sure, these are not insurmountable numbers, but they quickly add up with more and more characters (and I'm not even counting all the possibilities when it comes to making this more secure). Mt. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Hi, Aha... That's what I thought! :) So with md5 I can retrieve the passwords back to the user if they lose them via email. That's what I was seeking an answer to. Thanks so much. Jerry --- [EMAIL PROTECTED] wrote: They would be the same, they have to be. If you can de-crypt it, there has to be some method of validation. So, if someone choose the same password as you did, and you stored those in a DB as encrypted with md5, then they would look identical. So, you would know the other person's password. Hi, Hmmm okay... So if the passowrd was. jerry and the md5 output was SKHDJHDJDHJDHSfdfs and another user sets their passowrd to the same as mine does that mean the md5 output would be identical to the last as the same password is entered? e.g. User 1: Username: Fred Password: jerry User 2: Username: notfred Password: jerry Or is each entry unique ? I'm thinking if each entry was unique than reversing the md5 action could be inconclusive. But if the output is the same if the same password is entered than sure it's reliable. But I could be barking up the wrong tree all together here, so correct me if I am wrong. I have not used md5 before so learning on that behalf. Jerry --- [EMAIL PROTECTED] wrote: Just use brute force... Example: md5('password') will ALWAYS produce the same output! So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB then I could just say: if (strcmp (md5('password'), SKHGDOIUYFB) == 0) printf(Your password is: %s\n, password); So, just start a loop going through all possible combinations od legal password character and encrypt with md5, then compare. Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming out you'd be surprised how quickly one could loop through billlions of possible password combinations. Enter distributed environments and it is much fatser. The key is not to rely on passwords but to rely on other system security messures, use SSL, so it is hard to intercept in the first place, make sure your system is secure so these passwords cannot be extracted from your DB without you knowing about it, etc... Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your
Re: [PHP-DB] md5 question!
On Tue, 2003-06-24 at 09:45, JeRRy wrote: If true, if more than 1 user had an identical password to another the md5 output would be unique for each user. So a different md5 output even though the same password. Because if: snip it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) /snip ... is true than a different md5 output must be outputed for each password even if it's the same as another. Because if it was the same md5 output it would than be possible to reverse the md5 back to plain text? Well I woudl think so, because it's the same. No, these are two unrelated concepts, in fact they contradict each other. If two passwords *can* have the same hash (which is well possible), then you can't tell the password from the hash. I just recieved an email to my inbox saying there is a way to reverse it. So I really have no idea what to think, instead I'm going to give the examples I have recieved a go and see what happens. Well, I haven't heard of md5 being broken, although it's been claimed that it is breakable. I'd love to see the references they have sent you! Cheers, Marco Thanks everyone for your help/feedback/ideas and code on this subject, it's been overwhelming. Very much appreciated. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: On Tue, 2003-06-24 at 09:08, JeRRy wrote: I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Well, that's not necessarily true. Take something as simple as an integer division. Say that in order calculate your hash you divide any number by 3 and discard the remainder. The result '4' could mean that your original number could be anywhere between 12 and 14, for example, so that even if you know that method that was used to calculate the hash you couldn't determine the original password from it. md5 works on a similar basis, although a bit (but not that much) more complicated. So you see, it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
md5() will always return the same for the same string, how else can you verify that the user entered their password? everytime they log in, you have to encrypt what they typed in $pword=md5($pword); select * from users where uname='$uname' and pword='$pword' and see if it matches the password they registered with, if md5() gave you different output, then you could never verify thier password. Eddie -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:45 AM To: Marco Tabini Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! Marco, Okay I just replied to another post asking if md5 outputs a different output if the same password was entered by more than 1 user. I think the answer to that is explained by you below. If true, if more than 1 user had an identical password to another the md5 output would be unique for each user. So a different md5 output even though the same password. Because if: snip it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) /snip ... is true than a different md5 output must be outputed for each password even if it's the same as another. Because if it was the same md5 output it would than be possible to reverse the md5 back to plain text? Well I woudl think so, because it's the same. I just recieved an email to my inbox saying there is a way to reverse it. So I really have no idea what to think, instead I'm going to give the examples I have recieved a go and see what happens. Thanks everyone for your help/feedback/ideas and code on this subject, it's been overwhelming. Very much appreciated. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: On Tue, 2003-06-24 at 09:08, JeRRy wrote: I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Well, that's not necessarily true. Take something as simple as an integer division. Say that in order calculate your hash you divide any number by 3 and discard the remainder. The result '4' could mean that your original number could be anywhere between 12 and 14, for example, so that even if you know that method that was used to calculate the hash you couldn't determine the original password from it. md5 works on a similar basis, although a bit (but not that much) more complicated. So you see, it's mathematically impossible to retrieve the original password starting from the hash... which is a Good Thing(tm) :-) Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Marco, Aha... Thanks. I guess there is no need to add a salt if I'm the only admin using the database interface. But I guess if you want to be more secure etc it would be best to add it so if someone grabbed the database they will find no matches. I really have to look into making my databases more secure than they already are. Any good websites that is good reading for this? I mean reliable sites with no bull ***rubbish*** which does not send on the wrong messages. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: On Tue, 2003-06-24 at 09:36, JeRRy wrote: Hi, Hmmm okay... So if the passowrd was. [snip] There are ways to avoid this. Typically, you can add a random token (or a salt) to the password before you calculate its checksum. This way, two users with the same password will have two different hashes. However, a brute-force approach as the one suggested is *not* quite as simple and powerful as it looks. assuming that there are even just 62 valid characters for the password (uppercase+lowercase+digits) to go over passwords as short as five characters you'd have to do 380,204,032 iterations. Add one more digit and you're already up to 19,770,609,664. Sure, these are not insurmountable numbers, but they quickly add up with more and more characters (and I'm not even counting all the possibilities when it comes to making this more secure). Mt. http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
-Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:50 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! So with md5 I can retrieve the passwords back to the user if they lose them via email. No, you can't. You'll need to generate a new password, md5 it, store it mark it expired, timestamp it so it's only valid for, say, 30 minutes, email it, and finally, force the person to choose a new password when they sign in. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
I already admitted that this stuff was mostly over my head. However, I started messing around with it a bit and would like to know if the crypt() function would help Jerry out? I tried md5('password') twice in a row and it did return: 5f4dcc3b5aa765d61d8327deb882cf99 5f4dcc3b5aa765d61d8327deb882cf99 Then I tried crypt('password') in a 10-step loop and got this: 8m7UxPXfRw7/2 v9iuCQikPaf7w MwV8vcCiqrRbM lpf02L./2VtiU KRkddkPGedm2. LDMEpQwJgY.Mo 2HW51zTN93I9Y hyONnFjRN/9bM W9NKVzVgJ9kLM nNany7wy2drdQ The code for all of the above if anybody is interested: ?php echo md5('password')./br; echo md5('password')./br/br; echo CRYPT with password/br; for($i=0;$i10;$i++){ echo crypt('password')./br; } } ? PHP.NET states that there is no decrypt function since crypt() is a one-way encryption. And given that, by default, it uses a random salt generated by PHP, why is this not as secure as an MD5 encrypted password? Of course, all of this is based on the supposition that the database is properly secured. I am, by no means, arguing with any of the advice already offered regarding the MD5 question. However, If what you're looking for is a different encryption result for the same password, crypt() seems to do it. Can somebody explain if this is less secure or less-preferable than MD5? Even if one were able to decipher the algorithm PHP uses for a crypt() operation, the salt is supposedly random so having the encryption algorithm would not be all that useful. Am I totally missing something here? Rich -Original Message- From: Matt Schroebel [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:52 AM To: JeRRy Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] md5 question! -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:50 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! So with md5 I can retrieve the passwords back to the user if they lose them via email. No, you can't. You'll need to generate a new password, md5 it, store it mark it expired, timestamp it so it's only valid for, say, 30 minutes, email it, and finally, force the person to choose a new password when they sign in. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
Sure, but only the first eight characters of the password are actually used to make the hash (IIRC). Marco On Tue, 2003-06-24 at 10:15, Hutchins, Richard wrote: I already admitted that this stuff was mostly over my head. However, I started messing around with it a bit and would like to know if the crypt() function would help Jerry out? I tried md5('password') twice in a row and it did return: 5f4dcc3b5aa765d61d8327deb882cf99 5f4dcc3b5aa765d61d8327deb882cf99 Then I tried crypt('password') in a 10-step loop and got this: 8m7UxPXfRw7/2 v9iuCQikPaf7w MwV8vcCiqrRbM lpf02L./2VtiU KRkddkPGedm2. LDMEpQwJgY.Mo 2HW51zTN93I9Y hyONnFjRN/9bM W9NKVzVgJ9kLM nNany7wy2drdQ The code for all of the above if anybody is interested: ?php echo md5('password')./br; echo md5('password')./br/br; echo CRYPT with password/br; for($i=0;$i10;$i++){ echo crypt('password')./br; } } ? PHP.NET states that there is no decrypt function since crypt() is a one-way encryption. And given that, by default, it uses a random salt generated by PHP, why is this not as secure as an MD5 encrypted password? Of course, all of this is based on the supposition that the database is properly secured. I am, by no means, arguing with any of the advice already offered regarding the MD5 question. However, If what you're looking for is a different encryption result for the same password, crypt() seems to do it. Can somebody explain if this is less secure or less-preferable than MD5? Even if one were able to decipher the algorithm PHP uses for a crypt() operation, the salt is supposedly random so having the encryption algorithm would not be all that useful. Am I totally missing something here? Rich -Original Message- From: Matt Schroebel [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:52 AM To: JeRRy Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] md5 question! -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:50 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! So with md5 I can retrieve the passwords back to the user if they lose them via email. No, you can't. You'll need to generate a new password, md5 it, store it mark it expired, timestamp it so it's only valid for, say, 30 minutes, email it, and finally, force the person to choose a new password when they sign in. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
YOU CAN NOT RECOVER THE ORIGINAL TEXT FROM AN MD5 HASH (unless you have a couple hundred years and nothing to do and want to try all 63*10^48 possibilities). You can look to see if jerry and bob have the same MD5 hash as their password, but unless your store their password in plaintext as well as an md5 hash and you only store the md5 hash, you CANNOT send an email with the original password. MD5 is one-way encryption. On Tue, 24 Jun 2003, [iso-8859-1] JeRRy wrote: Hi, Aha... That's what I thought! :) So with md5 I can retrieve the passwords back to the user if they lose them via email. That's what I was seeking an answer to. Thanks so much. Jerry --- [EMAIL PROTECTED] wrote: They would be the same, they have to be. If you can de-crypt it, there has to be some method of validation. So, if someone choose the same password as you did, and you stored those in a DB as encrypted with md5, then they would look identical. So, you would know the other person's password. Hi, Hmmm okay... So if the passowrd was. jerry and the md5 output was SKHDJHDJDHJDHSfdfs and another user sets their passowrd to the same as mine does that mean the md5 output would be identical to the last as the same password is entered? e.g. User 1: Username: Fred Password: jerry User 2: Username: notfred Password: jerry Or is each entry unique ? I'm thinking if each entry was unique than reversing the md5 action could be inconclusive. But if the output is the same if the same password is entered than sure it's reliable. But I could be barking up the wrong tree all together here, so correct me if I am wrong. I have not used md5 before so learning on that behalf. Jerry --- [EMAIL PROTECTED] wrote: Just use brute force... Example: md5('password') will ALWAYS produce the same output! So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB then I could just say: if (strcmp (md5('password'), SKHGDOIUYFB) == 0) printf(Your password is: %s\n, password); So, just start a loop going through all possible combinations od legal password character and encrypt with md5, then compare. Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming out you'd be surprised how quickly one could loop through billlions of possible password combinations. Enter distributed environments and it is much fatser. The key is not to rely on passwords but to rely on other system security messures, use SSL, so it is hard to intercept in the first place, make sure your system is secure so these passwords cannot be extracted from your DB without you knowing about it, etc... Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
Most sites save/allow an 8 character password. Allowing alphanumerics and underscore, period and pound (_, ., #), that is 39^8, or 5,352,009,260,481 or about 5 trillion possible passwords. If you allow more than 8 characters, that number increases. On Tue, 24 Jun 2003, Marco Tabini wrote: On Tue, 2003-06-24 at 09:36, JeRRy wrote: Hi, Hmmm okay... So if the passowrd was. [snip] There are ways to avoid this. Typically, you can add a random token (or a salt) to the password before you calculate its checksum. This way, two users with the same password will have two different hashes. However, a brute-force approach as the one suggested is *not* quite as simple and powerful as it looks. assuming that there are even just 62 valid characters for the password (uppercase+lowercase+digits) to go over passwords as short as five characters you'd have to do 380,204,032 iterations. Add one more digit and you're already up to 19,770,609,664. Sure, these are not insurmountable numbers, but they quickly add up with more and more characters (and I'm not even counting all the possibilities when it comes to making this more secure). Mt. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
md5 is also a one-way encryption. crypt also provides 300*10^21 possible values, whereas md5 provides a possible 63*10^48, or 63000 * 10^21 possible values. A little bit better security I'd say. Crypt is fine, md5 is better (a lot better by the numbers). The salt doesn't matter -- it is part of the password. The first iteration, the salt is 8m. The next one is v9. The first two chars are the salt used, so the salt really doesn't make things more secure. If you are storing the crypt value, you have to first select the value from your DB, get the first two chars (8m for this example) and do crypt($form['password'], 8m) in order to get 8m7UxPXfRw7/2 from crypt. With md5 you just say md5($form['password']) and send it to your select statement and see what happens. To answer your question, md5 is easier and more secure; however, your system is only as secure as your password, and if your password is password (one of the most popular passwords in the world) md5 nor crypt nor the best encryption will help you. Peter On Tue, 24 Jun 2003, Hutchins, Richard wrote: I already admitted that this stuff was mostly over my head. However, I started messing around with it a bit and would like to know if the crypt() function would help Jerry out? I tried md5('password') twice in a row and it did return: 5f4dcc3b5aa765d61d8327deb882cf99 5f4dcc3b5aa765d61d8327deb882cf99 Then I tried crypt('password') in a 10-step loop and got this: 8m7UxPXfRw7/2 v9iuCQikPaf7w MwV8vcCiqrRbM lpf02L./2VtiU KRkddkPGedm2. LDMEpQwJgY.Mo 2HW51zTN93I9Y hyONnFjRN/9bM W9NKVzVgJ9kLM nNany7wy2drdQ The code for all of the above if anybody is interested: ?php echo md5('password')./br; echo md5('password')./br/br; echo CRYPT with password/br; for($i=0;$i10;$i++){ echo crypt('password')./br; } } ? PHP.NET states that there is no decrypt function since crypt() is a one-way encryption. And given that, by default, it uses a random salt generated by PHP, why is this not as secure as an MD5 encrypted password? Of course, all of this is based on the supposition that the database is properly secured. I am, by no means, arguing with any of the advice already offered regarding the MD5 question. However, If what you're looking for is a different encryption result for the same password, crypt() seems to do it. Can somebody explain if this is less secure or less-preferable than MD5? Even if one were able to decipher the algorithm PHP uses for a crypt() operation, the salt is supposedly random so having the encryption algorithm would not be all that useful. Am I totally missing something here? Rich -Original Message- From: Matt Schroebel [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:52 AM To: JeRRy Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] md5 question! -Original Message- From: JeRRy [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 9:50 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! So with md5 I can retrieve the passwords back to the user if they lose them via email. No, you can't. You'll need to generate a new password, md5 it, store it mark it expired, timestamp it so it's only valid for, say, 30 minutes, email it, and finally, force the person to choose a new password when they sign in. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Rand() Emulation
Doesn't really cut it when you do not know a min and max value, or want to extract a random range of numbers. Becoming Digital wrote: Im trying to figure out a way to emulate mysql's RAND() function to be cross database compatible via php. Has anyone done anything similar to this??? How about PHP's rand() function? http://us2.php.net/manual/en/function.rand.php Edward Dudlik Becoming Digital www.becomingdigital.com Did I help you? Want to show your thanks? www.amazon.com/o/registry/EGDXEBBWTYUU -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question! [CORRECTED]
My mistake -- I'm wrong here. Through a few emails I learned that it is a 32 character hex value that is returned, not a 32 char alphanumeric. That reduces my estimate of 63*10^48 to 340*10^36, still more than crypt though. My bad, sorry to all who believed me without question! Beckman On Tue, 24 Jun 2003, Peter Beckman wrote: md5 is also a one-way encryption. crypt also provides 300*10^21 possible values, whereas md5 provides a possible 63*10^48, or 63000 * 10^21 possible values. A little bit better security I'd say. Crypt is fine, md5 is better (a lot better by the numbers). The salt doesn't matter -- it is part of the password. The first iteration, the salt is 8m. The next one is v9. The first two chars are the salt used, so the salt really doesn't make things more secure. If you are storing the crypt value, you have to first select the value from your DB, get the first two chars (8m for this example) and do crypt($form['password'], 8m) in order to get 8m7UxPXfRw7/2 from crypt. With md5 you just say md5($form['password']) and send it to your select statement and see what happens. To answer your question, md5 is easier and more secure; however, your system is only as secure as your password, and if your password is password (one of the most popular passwords in the world) md5 nor crypt nor the best encryption will help you. Peter --- Peter Beckman Internet Guy [EMAIL PROTECTED] http://www.purplecow.com/ --- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] md5 question!
It's all dependent on the seed the first two characters of the hash You take a password, say apass and pass it through md5 Say you get : dFeRDfss3456fdddsas/.. When the user types in their password, this is what happens The string above is retrieved, and the password entered, apass is run through md5 WITH THE KNOWN SEED, dF The output of md5 will be dFeRDfss3456fdddsas/.. and it is compared to what is stored. If they match, hunky-dory, the auth is granted Upon creating an md5 hash, the seed is randomly generated, so that two users with the same password may have completely different hash strings. Gary Every Sr. UNIX Administrator Ingram Entertainment (615) 287-4876 Pay It Forward mailto:[EMAIL PROTECTED] http://accessingram.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 4:47 AM To: JeRRy; [EMAIL PROTECTED] Subject: Re: [PHP-DB] md5 question! They would be the same, they have to be. If you can de-crypt it, there has to be some method of validation. So, if someone choose the same password as you did, and you stored those in a DB as encrypted with md5, then they would look identical. So, you would know the other person's password. Hi, Hmmm okay... So if the passowrd was. jerry and the md5 output was SKHDJHDJDHJDHSfdfs and another user sets their passowrd to the same as mine does that mean the md5 output would be identical to the last as the same password is entered? e.g. User 1: Username: Fred Password: jerry User 2: Username: notfred Password: jerry Or is each entry unique ? I'm thinking if each entry was unique than reversing the md5 action could be inconclusive. But if the output is the same if the same password is entered than sure it's reliable. But I could be barking up the wrong tree all together here, so correct me if I am wrong. I have not used md5 before so learning on that behalf. Jerry --- [EMAIL PROTECTED] wrote: Just use brute force... Example: md5('password') will ALWAYS produce the same output! So, if I intercept a pmd5 encrypted password that looks like: SKHGDOIUYFB then I could just say: if (strcmp (md5('password'), SKHGDOIUYFB) == 0) printf(Your password is: %s\n, password); So, just start a loop going through all possible combinations od legal password character and encrypt with md5, then compare. Hard? Not at all, Time consuming, perhaps, but with 3+ Ghz processors coming out you'd be surprised how quickly one could loop through billlions of possible password combinations. Enter distributed environments and it is much fatser. The key is not to rely on passwords but to rely on other system security messures, use SSL, so it is hard to intercept in the first place, make sure your system is secure so these passwords cannot be extracted from your DB without you knowing about it, etc... Marco, Thanks, that's what I originally thought that it was one way. So websites that have the option to retrieve password don't use md5? I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. But what I have heard and read it's very tight and probably the best method to handle passwords for now, until something new is released. Which will happen when md5 is broken, like everything else after a little bit of time. Jerry --- Marco Tabini [EMAIL PROTECTED] wrote: Hi Jerry-- No, md5 is a one-way hash. That's why it's so safe--because if someone steals the information he still can't tell what the passwords are. You may want to reset the passwords upon your users' request and send it to them via e-mail instead. Cheers, Marco -- php|architect -- The Magazine for PHP Professionals Come try us out at http://www.phparch.com and get a free trial issue On Tue, 2003-06-24 at 08:35, JeRRy wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- Marco Tabini President Marco Tabini Associates, Inc. 28 Bombay Avenue Toronto, ON M3H 1B7 Canada Phone: (416) 630-6202 Fax: (416) 630-5057 Web: http://www.tabini.ca -- PHP Database Mailing List
Re: [PHP-DB] Rand() Emulation
An incredible interpretation of quote If called without the optional min, max arguments rand() returns a pseudo-random value between 0 and RAND_MAX. If you want a random number between 5 and 15 (inclusive), for example, use rand (5, 15). /quote Doug On Tue, 24 Jun 2003 11:14:55 -0400, Gerard Samuel wrote: Doesn't really cut it when you do not know a min and max value, or want to extract a random range of numbers. Becoming Digital wrote: Im trying to figure out a way to emulate mysql's RAND() function to be cross database compatible via php. Has anyone done anything similar to this??? How about PHP's rand() function? http://us2.php.net/manual/en/function.rand.php Edward Dudlik Becoming Digital www.becomingdigital.com Did I help you? Want to show your thanks? www.amazon.com/o/registry/EGDXEBBWTYUU -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] ideas for Affiliate Program.....
Hello all, I am working on an Affiliate Program and need ideas or suggestions... please email me if you have any suggestion for now my program will keep track of an affiliate_id and the client_ip address for future reward... (i.e if the client buys anything, the affiliate_id gets a credit...) but this system won't reward an affiliate if for example, many clients use the same computer (same ip address) to buy products... then the affiliate_id is only credited once Have anyone ever done anything similar and have other suggestions? I am working on it, but is still looking for better ways of doing it... thanks in advance.. KD -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Rand() Emulation
Im probably not making myself clear. Ultimately, my goal is to emulate mysql's - SELECT * FROM TABLE ORDER BY RAND() LIMIT (X) for other databases that do not support RAND(). So using variations of php's rand(), wouldn't make sense, as it only picks one value out of a range of values, that are numerical in nature. But here is an idea, that Im thinking about, but haven't gotten to the code as yet. 1. In the tables that I want random values from, create a rand column, that contains incremental numerical values for each row. 2. select the the maximum number from the rand column. 3. Assume that there are no gaps between 0 and this max number. 4. Create an array of numbers with values between 0 and max number. 5. Use array_rand() to randomly choose (x) values from the array created in step 4. (I may choose maybe a 1 or 2 values more than whats required, just in case of gaps between 0 and max number in step 3). 6. Use these randomly choosen values to select from the database as random rows. So hopefully its a bit clearer what Im striving for. To me the idea above would work, but it hinges on if that rand column, doesn't have gaps. If you see room for improvement, or have another idea, or if Im talking gibberish then by all means. Thanks. Doug Thompson wrote: An incredible interpretation of quote If called without the optional min, max arguments rand() returns a pseudo-random value between 0 and RAND_MAX. If you want a random number between 5 and 15 (inclusive), for example, use rand (5, 15). /quote Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] apache mod_php memory leak, need help.
I'm posting this here as well in hopes that someone can help me out. Thanks, Ray A. Just another note, it seems that for every page access, there is exactly 680k of memory that accumulates. Any php developer know of any odbc function that takes up 680k of overhead that might not be getting cleaned up? Thanks, Ray A. Hello, I hope someone can help me or point me in a good direction. I have a database driven website, all ODBC to postgresql, that little by little eats up resources on apache. The child processes will start off at 30Mb of virtual memory and run up around 230Mb each child. (see below ps output) before they start dying. It does not even take 700 accesses per child to max out memory. I then start getting funny errors like access denied to file or could not open socket, or file not found. I read all to documentation and as far as I know, php should release any defined query resources once the script executes. I already code with odbc_close($conn); on all my pages. It is not feasible to use odbc_free_result() on every query, due to the complexity of scripts, but the documentation for odbc_free_result says you shouldn't have to. That is the only thing that I can think of that could be draining this much resources. Is there any good way to find out what is eating up the memory. Anyone else run into this. I'm running apache 1.3.27 with php 4.3.2 (happened in version 4.3.1 also) on mac OSX SERVER 10.2.4 Thanks in advance, Ray A. PS OUTPUT --- root 468 0.0 0.330992 2152 ?? Ss4Jun03 1:30.04 /usr/sbin/httpd www 1743 0.0 1.2 222600 10032 ?? S 8:00AM 2:16.31 /usr/sbin/httpd www 1767 0.0 1.1 220560 9592 ?? S 8:01AM 1:58.56 /usr/sbin/httpd www 1806 0.0 1.1 215800 9588 ?? S 8:13AM 1:46.92 /usr/sbin/httpd www 1876 0.0 1.1 210360 9532 ?? S 8:44AM 1:56.10 /usr/sbin/httpd www 1878 0.0 1.3 224304 10904 ?? S 8:44AM 2:13.93 /usr/sbin/httpd www 1879 0.0 1.2 219880 9912 ?? S 8:44AM 2:10.85 /usr/sbin/httpd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: md5 question!
I found this very useful http://www.aspencrypt.com/crypto101.html pete Jerry wrote: Hi, If I use md5 to handle passwords to my database is there a way to reverse the action if someone forgets their password? Is there a way for me to decode the 32bit to plain text? Jerry http://mobile.yahoo.com.au - Yahoo! Mobile - Check compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] ideas for Affiliate Program.....
on 24/6/03 4:59 pm, Kieu D. Trang at [EMAIL PROTECTED] wrote: Have anyone ever done anything similar and have other suggestions? I am working on it, but is still looking for better ways of doing it... thanks in advance.. You want to look on sourceforge for a project called php affiliate. I think that should save you some time ;-) -- Mike Karthauser Managing Director - Brightstorm Ltd Email[EMAIL PROTECTED] Web http://www.brightstorm.co.uk Tel 0117 9426653 (office) 07939 252144 (mobile) SnailmailUnit 8, 14 King Square, Bristol BS2 8JJ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: extract( $HTTP_POST_VARS ); ------------ what does this do?
http://uk2.php.net/extract Boa Constructor wrote: I'm wanting to overwrite the variables contained in a session, I read on the net somewhere that I could do this by explicitely making variables global, the code I looked at contained this: extract( $HTTP_POST_VARS ); What exactly does this do? Cheers, Graeme :) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Rand() Emulation
Might it be simpler, since you're assuming the presence of PHP anyway, to just read your entire result set into an array and then shuffle() it and then pick off the top however-many entries? Of course, that won't be very memory-efficient for particularly large data sets... --- Mark Roedel | Blessed is he who has learned to laugh Systems Programmer| at himself, for he shall never cease LeTourneau University | to be entertained. Longview, Texas, USA | -- John Powell -Original Message- From: Gerard Samuel [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 11:19 AM To: Doug Thompson Cc: Becoming Digital; PHP-DB Subject: Re: [PHP-DB] Rand() Emulation Im probably not making myself clear. Ultimately, my goal is to emulate mysql's - SELECT * FROM TABLE ORDER BY RAND() LIMIT (X) for other databases that do not support RAND(). So using variations of php's rand(), wouldn't make sense, as it only picks one value out of a range of values, that are numerical in nature. But here is an idea, that Im thinking about, but haven't gotten to the code as yet. 1. In the tables that I want random values from, create a rand column, that contains incremental numerical values for each row. 2. select the the maximum number from the rand column. 3. Assume that there are no gaps between 0 and this max number. 4. Create an array of numbers with values between 0 and max number. 5. Use array_rand() to randomly choose (x) values from the array created in step 4. (I may choose maybe a 1 or 2 values more than whats required, just in case of gaps between 0 and max number in step 3). 6. Use these randomly choosen values to select from the database as random rows. So hopefully its a bit clearer what Im striving for. To me the idea above would work, but it hinges on if that rand column, doesn't have gaps. If you see room for improvement, or have another idea, or if Im talking gibberish then by all means. Thanks. Doug Thompson wrote: An incredible interpretation of quote If called without the optional min, max arguments rand() returns a pseudo-random value between 0 and RAND_MAX. If you want a random number between 5 and 15 (inclusive), for example, use rand (5, 15). /quote Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: extract( $HTTP_POST_VARS ); ------------ what does this do?
Pete, I got my problem sorted out, thanks for directing me to the manual. I'm not too fond of the manual as I find it difficult to understand as I'm sure many newbies do. Turns out I didn't have to use that function but thank you anyway! Cheers, Graeme :) - Original Message - From: Pete Morganic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 6:32 PM Subject: [PHP-DB] Re: extract( $HTTP_POST_VARS ); what does this do? http://uk2.php.net/extract Boa Constructor wrote: I'm wanting to overwrite the variables contained in a session, I read on the net somewhere that I could do this by explicitely making variables global, the code I looked at contained this: extract( $HTTP_POST_VARS ); What exactly does this do? Cheers, Graeme :) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: extract( $HTTP_POST_VARS ); ------------ whatdoes this do?
PHP newbie - YIpee if your a windows users then the CHM version of the manual is cool (that's what I use) I learn most of my stuff at the zend tutorials http://www.zend.com/zend/tut/ have fun Pete Boa Constructor wrote: Pete, I got my problem sorted out, thanks for directing me to the manual. I'm not too fond of the manual as I find it difficult to understand as I'm sure many newbies do. Turns out I didn't have to use that function but thank you anyway! Cheers, Graeme :) - Original Message - From: Pete Morganic [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 6:32 PM Subject: [PHP-DB] Re: extract( $HTTP_POST_VARS ); what does this do? http://uk2.php.net/extract Boa Constructor wrote: I'm wanting to overwrite the variables contained in a session, I read on the net somewhere that I could do this by explicitely making variables global, the code I looked at contained this: extract( $HTTP_POST_VARS ); What exactly does this do? Cheers, Graeme :) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] delay on insert into database
Hi, I am using a php form to insert data into my MySQL database. When the form is submitted, it displays the content that has to be inserted into the db. At the first click the display appears as if nothing was typed in into the form. If I go back and wait for about 30 seconds and then submit the data, it is being inserted into the database. Any ideas? Packages: Apache 1.3.27 MySQL 3.23.56 PHP Version 4.3.2 Thanks Julian -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Rand() Emulation
Yes its more than possible to do as you suggested, but as you implied, not very friendly, when it comes to large result sets... Roedel, Mark wrote: Might it be simpler, since you're assuming the presence of PHP anyway, to just read your entire result set into an array and then shuffle() it and then pick off the top however-many entries? Of course, that won't be very memory-efficient for particularly large data sets... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] ideas for Affiliate Program.....
Thanks Mike, I downloaded and implemented that program to see how it works, but my Affiliate Program will do so much more than that... and is more complicated i know what to do... just have a little concern about not paying Affiliates what they deserve... I don't want to under pay or over pay them... just thought that i can't really think as good as many of you... so if you think there is a better way of tracking who gets what credit, please let me know as of right now, i am tracking them the way i told you Aff_id and Client_ip. Thanks anyway.. KD On Tue, 24 Jun 2003, mike karthauser wrote: on 24/6/03 4:59 pm, Kieu D. Trang at [EMAIL PROTECTED] wrote: Have anyone ever done anything similar and have other suggestions? I am working on it, but is still looking for better ways of doing it... thanks in advance.. You want to look on sourceforge for a project called php affiliate. I think that should save you some time ;-) -- Mike Karthauser Managing Director - Brightstorm Ltd Email[EMAIL PROTECTED] Web http://www.brightstorm.co.uk Tel 0117 9426653 (office) 07939 252144 (mobile) SnailmailUnit 8, 14 King Square, Bristol BS2 8JJ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] mcrypt: Is length of ciphertexts predictable?
I'm working on a system that requires a database and we would like to encrypt the data in certain table fields. Lets say it is name information (which it isn't really nor is it credit card info so arguments about how credit cards should really be treated/stored/not-stored aren't useful.) Names are variable length but up to some maximum so if you were to store them plaintext you might make field name VARCHAR(32). I have a few questions: 1) block encryption produces ciphertext that is possibly longer than the plaintext. I'm using mcrypt and I don't know which encryption algorithm I am going to use yet. Is it possible to predict what the maximum length of the ciphertext will be? I need to know this so that I can pick a larger VARCHAR(???) that is capable of holding the ciphertext that results from the block encryption of the plaintext (that is at most 32 characters) I would rather be precise and not waste space with something like VARCHAR(2048). 2) If it is predictable could somebody elaborate on the function used to predict the cipher length given a plaintext length of n? f(n) == ? feel free to insert other useful variables such as key length or such. 3) If my plaintext is not an even block size in length I assume the ciphertext will have appended padding data to fill the blocks it needs. When I decrypt such a cipher text do I get back my exact plaintext or do I get back plaintext plus the padding that was used? Thank you, Jeff Wiegley -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Rand() Emulation
Ultimately, my goal is to emulate mysql's - SELECT * FROM TABLE ORDER BY RAND() LIMIT (X) for other databases that do not support RAND(). Which are those? To me the idea above would work, but it hinges on if that rand column, doesn't have gaps. Use your table's primary key, assuming there is one. This saves creating what is otherwise unncessary data, but you'll still face gaps if records are deleted. Edward Dudlik Becoming Digital www.becomingdigital.com Did I help you? Want to show your thanks? www.amazon.com/o/registry/EGDXEBBWTYUU - Original Message - From: Gerard Samuel [EMAIL PROTECTED] To: Doug Thompson [EMAIL PROTECTED] Cc: Becoming Digital [EMAIL PROTECTED]; PHP-DB [EMAIL PROTECTED] Sent: Tuesday, 24 June, 2003 12:19 Subject: Re: [PHP-DB] Rand() Emulation Im probably not making myself clear. Ultimately, my goal is to emulate mysql's - SELECT * FROM TABLE ORDER BY RAND() LIMIT (X) for other databases that do not support RAND(). So using variations of php's rand(), wouldn't make sense, as it only picks one value out of a range of values, that are numerical in nature. But here is an idea, that Im thinking about, but haven't gotten to the code as yet. 1. In the tables that I want random values from, create a rand column, that contains incremental numerical values for each row. 2. select the the maximum number from the rand column. 3. Assume that there are no gaps between 0 and this max number. 4. Create an array of numbers with values between 0 and max number. 5. Use array_rand() to randomly choose (x) values from the array created in step 4. (I may choose maybe a 1 or 2 values more than whats required, just in case of gaps between 0 and max number in step 3). 6. Use these randomly choosen values to select from the database as random rows. So hopefully its a bit clearer what Im striving for. To me the idea above would work, but it hinges on if that rand column, doesn't have gaps. If you see room for improvement, or have another idea, or if Im talking gibberish then by all means. Thanks. Doug Thompson wrote: An incredible interpretation of quote If called without the optional min, max arguments rand() returns a pseudo-random value between 0 and RAND_MAX. If you want a random number between 5 and 15 (inclusive), for example, use rand (5, 15). /quote Doug -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Rand() Emulation
On Wednesday 25 June 2003 00:19, Gerard Samuel wrote: Im probably not making myself clear. Ultimately, my goal is to emulate mysql's - SELECT * FROM TABLE ORDER BY RAND() LIMIT (X) for other databases that do not support RAND(). So using variations of php's rand(), wouldn't make sense, as it only picks one value out of a range of values, that are numerical in nature. But here is an idea, that Im thinking about, but haven't gotten to the code as yet. 1. In the tables that I want random values from, create a rand column, that contains incremental numerical values for each row. 2. select the the maximum number from the rand column. 3. Assume that there are no gaps between 0 and this max number. 4. Create an array of numbers with values between 0 and max number. 5. Use array_rand() to randomly choose (x) values from the array created in step 4. (I may choose maybe a 1 or 2 values more than whats required, just in case of gaps between 0 and max number in step 3). 6. Use these randomly choosen values to select from the database as random rows. Here's a trick taken from Paul DuBois' MySQL book: SELECT ..., some_column * 0 + RAND() as rand_col FROM ... ORDER BY rand_col; I've not tried it myself so YMMV. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] md5 question!
On Tuesday 24 June 2003 21:08, JeRRy wrote: I guess technically there MUST be a way to break the barrier where you can reverse it. If there is a way to make it there is always a way to break it, somehow. Consider that whatever sized input you give it, after it's been md5'ed, you'll get a 32 char hex string. Now how can a 32 byte string be converted back into a multi-gigabyte file (or whatever)? It is technically possible to create two different inputs which results in the same hash but the chances of that is very remote and hence why md5 is pretty secure. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Rand() Emulation
Becoming Digital wrote: Ultimately, my goal is to emulate mysql's - SELECT * FROM TABLE ORDER BY RAND() LIMIT (X) for other databases that do not support RAND(). Which are those? Currently mySQL, PostgreSQL, and MSSQL. To me the idea above would work, but it hinges on if that rand column, doesn't have gaps. Use your table's primary key, assuming there is one. This saves creating what is otherwise unncessary data, but you'll still face gaps if records are deleted. Unfortunately, my primary keys are not numerical, thus the creation of a column with numerical values. Hopefully by next week, I should be ready to try out my psuedo code, and see how it plays out. If it doesn't work out, I guess no random selection happening in my code :) Thanks -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] mssql and dts
Hi everyone! I am looking for a way to use MSSQL Data Transformation Services (DTS) via PHP. Could anyone give some help on getting started? Or some tips on where to find some manuals? Any help would be greatly appreciated. Thanks for your help in advance! Best regards, Sven -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php