Re: [PHP] md5() number of aruments
oops, miscounted a postion of the md5 parentheses :-0 Jason k Larson wrote: First of all, the example you gave is only using one argument to the MD5 function. Secondly, if you *want* to seed/salt the MD5 with a key you can use: http://www.php.net/manual/en/ref.mhash.php -- Jason k Larson aka: der Ritter Dennis Gearon wrote: The usage of md5() in PHPLIB show TWO arguments, a seed and the string. Nothing in the online manual shows 2 args. What's the dealio? Line 111 from PHPLIB7.2c - session.inc: $id = $this-that-ac_newid(md5(uniqid($this-magic)), $this-name); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() number of aruments
I don't see anywhere on that page where it shows using a seed. It shows **selecting a hash algorithm**, but no salt. Maybe that's the second argument that you're looking at. Jason k Larson wrote: First of all, the example you gave is only using one argument to the MD5 function. Secondly, if you *want* to seed/salt the MD5 with a key you can use: http://www.php.net/manual/en/ref.mhash.php -- Jason k Larson aka: der Ritter Dennis Gearon wrote: The usage of md5() in PHPLIB show TWO arguments, a seed and the string. Nothing in the online manual shows 2 args. What's the dealio? Line 111 from PHPLIB7.2c - session.inc: $id = $this-that-ac_newid(md5(uniqid($this-magic)), $this-name); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() number of aruments
mhash (PHP 3= 3.0.9, PHP 4 ) mhash -- Compute hash Description: string mhash ( int hash, string data [, string key]) ^ salt/seed/key - whatever you want to call it -- Jason k Larson Dennis Gearon wrote: I don't see anywhere on that page where it shows using a seed. It shows **selecting a hash algorithm**, but no salt. Maybe that's the second argument that you're looking at. Jason k Larson wrote: First of all, the example you gave is only using one argument to the MD5 function. Secondly, if you *want* to seed/salt the MD5 with a key you can use: http://www.php.net/manual/en/ref.mhash.php -- Jason k Larson aka: der Ritter Dennis Gearon wrote: The usage of md5() in PHPLIB show TWO arguments, a seed and the string. Nothing in the online manual shows 2 args. What's the dealio? Line 111 from PHPLIB7.2c - session.inc: $id = $this-that-ac_newid(md5(uniqid($this-magic)), $this-name); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() number of aruments
What page is that on? BTW, I figured out I could just prepend a long, complex string to whatever I am hashing and it will 'seed' it before it gets to my stuff. Jason k Larson wrote: mhash (PHP 3= 3.0.9, PHP 4 ) mhash -- Compute hash Description: string mhash ( int hash, string data [, string key]) ^ salt/seed/key - whatever you want to call it -- Jason k Larson Dennis Gearon wrote: I don't see anywhere on that page where it shows using a seed. It shows **selecting a hash algorithm**, but no salt. Maybe that's the second argument that you're looking at. Jason k Larson wrote: First of all, the example you gave is only using one argument to the MD5 function. Secondly, if you *want* to seed/salt the MD5 with a key you can use: http://www.php.net/manual/en/ref.mhash.php -- Jason k Larson aka: der Ritter Dennis Gearon wrote: The usage of md5() in PHPLIB show TWO arguments, a seed and the string. Nothing in the online manual shows 2 args. What's the dealio? Line 111 from PHPLIB7.2c - session.inc: $id = $this-that-ac_newid(md5(uniqid($this-magic)), $this-name); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() number of aruments
First of all, the example you gave is only using one argument to the MD5 function. Secondly, if you *want* to seed/salt the MD5 with a key you can use: http://www.php.net/manual/en/ref.mhash.php -- Jason k Larson aka: der Ritter Dennis Gearon wrote: The usage of md5() in PHPLIB show TWO arguments, a seed and the string. Nothing in the online manual shows 2 args. What's the dealio? Line 111 from PHPLIB7.2c - session.inc: $id = $this-that-ac_newid(md5(uniqid($this-magic)), $this-name); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] md5 encrypt problem
Having a wee bit o' trouble with a simple md5 script: for ($x=1 ; $x 62 ; $x++) { $mypass = sports . $x; $mypass = md5($mypass); dbConnect(UPDATE user_login SET password = '$mypass' WHERE school_id = $x); } For some reason, when I attempt to login with my md5'd user supplied password I get no match. Bizarre, haven't had this problem before... Is the 'password' column in your database a CHAR or VARCHAR column with a length of 32? If it is, then show the code where you validate someone logging in. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5 encrypt problem
Exactly right, John. Sorry to clutter the forum -- it was a varchar(30)! Thanks, --Noah - Original Message - From: John W. Holmes [EMAIL PROTECTED] To: 'CF High' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 4:06 AM Subject: RE: [PHP] md5 encrypt problem Having a wee bit o' trouble with a simple md5 script: for ($x=1 ; $x 62 ; $x++) { $mypass = sports . $x; $mypass = md5($mypass); dbConnect(UPDATE user_login SET password = '$mypass' WHERE school_id = $x); } For some reason, when I attempt to login with my md5'd user supplied password I get no match. Bizarre, haven't had this problem before... Is the 'password' column in your database a CHAR or VARCHAR column with a length of 32? If it is, then show the code where you validate someone logging in. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
On Mon, 17 Feb 2003, Vernon wrote: I'm thinking that the MD5 function more than likely encrypts a password to store into a database, and when you log in using the MD5 function it will simply encrypt the value being passed along again the same way. Now I'm wondering what happens when I user has lost there password and needs to retrieve it, there is no way to reverse the process is there? md5 is one-way encryption. I use a password 'hint' field in conjunction with md5. -- Greg Donald http://destiney.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
No, it's not reversable. When a user loses their password, you must generate a new one. To stop malicious users from requesting a new password for a user they dislike with a program (and stopping the user from logging in, since their password keeps changing), a link with a random code is sent to their email. The password is only changed when they visit the link, with the random code being correct. Vernon wrote: I'm thinking that the MD5 function more than likely encrypts a password to store into a database, and when you log in using the MD5 function it will simply encrypt the value being passed along again the same way. Now I'm wondering what happens when I user has lost there password and needs to retrieve it, there is no way to reverse the process is there? Thanks -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Password Login Driving me Crazy
on 18/02/03 6:42 AM, Vernon ([EMAIL PROTECTED]) wrote: When the user goes to login into the page though I have the encrypted password echo to the page and they match except a 52 on the end of it which I am assuming is a space or something being picked up on submit or something. I recall there is a way to trim the field so that it doesn't pick up spaces but can't recall what it is. Anyone know what it is and if it could be that? SEARCH THE MANUAL!!! http://php.net/trim Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: I'm thinking that the MD5 function more than likely encrypts a password to store into a database, and when you log in using the MD5 function it will simply encrypt the value being passed along again the same way. Now I'm wondering what happens when I user has lost there password and needs to retrieve it, there is no way to reverse the process is there? No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character password will both have the same length md5 value). You would need to write a script which resets their password, and sends it to them via email. If they've fogotten what password they set, then they're obviously not too precious about it being the same password. Reset it to something random, send it to them via email (handy for confirming their email address is still valid), and let them login with that password, and change it to something else if they wish. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
If you do a password reset system please remember not to reset the password before they confirm who they are. This means instead of having them entering their login and email address and immediatly resetting their password send the account owner an e-mail with a link that will reset their password, if you have SSL make the link go over SSL that way the traffic is secure. The link should contain a unique id that was randomly generated and stored in the database, when they click the link validate the account name, email address and the unique id, if they match reset the password and remove the unique id from the list of approved id's, this prevents someone from replaying the URL and resetting the password again. Jason On Mon, 2003-02-17 at 17:48, Justin French wrote: on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: I'm thinking that the MD5 function more than likely encrypts a password to store into a database, and when you log in using the MD5 function it will simply encrypt the value being passed along again the same way. Now I'm wondering what happens when I user has lost there password and needs to retrieve it, there is no way to reverse the process is there? No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character password will both have the same length md5 value). You would need to write a script which resets their password, and sends it to them via email. If they've fogotten what password they set, then they're obviously not too precious about it being the same password. Reset it to something random, send it to them via email (handy for confirming their email address is still valid), and let them login with that password, and change it to something else if they wish. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
Very true -- forgot to mention that step :) Thanks for the reminder!! Justin on 18/02/03 12:49 PM, Jason Sheets ([EMAIL PROTECTED]) wrote: If you do a password reset system please remember not to reset the password before they confirm who they are. This means instead of having them entering their login and email address and immediatly resetting their password send the account owner an e-mail with a link that will reset their password, if you have SSL make the link go over SSL that way the traffic is secure. The link should contain a unique id that was randomly generated and stored in the database, when they click the link validate the account name, email address and the unique id, if they match reset the password and remove the unique id from the list of approved id's, this prevents someone from replaying the URL and resetting the password again. Jason On Mon, 2003-02-17 at 17:48, Justin French wrote: on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: I'm thinking that the MD5 function more than likely encrypts a password to store into a database, and when you log in using the MD5 function it will simply encrypt the value being passed along again the same way. Now I'm wondering what happens when I user has lost there password and needs to retrieve it, there is no way to reverse the process is there? No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character password will both have the same length md5 value). You would need to write a script which resets their password, and sends it to them via email. If they've fogotten what password they set, then they're obviously not too precious about it being the same password. Reset it to something random, send it to them via email (handy for confirming their email address is still valid), and let them login with that password, and change it to something else if they wish. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 Passwords (How it works?)
On Tuesday 18 February 2003 01:03, Greg Donald wrote: md5 is one-way encryption. I use a password 'hint' field in conjunction with md5. It is not an encryption at all -- it's a hash. Encryption implies a corresponding decryption, so a one-way encryption is either useless or an oxymoron. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* The Angels want to wear my red shoes. -- E. Costello */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5()
You reset the password to something new... either manually (a person) or with a self-help script. md5 is one way encryption. Justin on 24/12/02 12:38 AM, Edward Peloke ([EMAIL PROTECTED]) wrote: I don't want to store my users passwords in the db as clear text so I know I can use md5(). But, what do I do when a user has forgotten his/her password and I need to send it to them? Can I reverse md5()? Thanks, Eddie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5()
Edward Peloke wrote: I don't want to store my users passwords in the db as clear text so I know I can use md5(). But, what do I do when a user has forgotten his/her password and I need to send it to them? Can I reverse md5()? No. You send them a new password. Ideally, the only person who should know the unencrypted user's password is the user themselves. HTH Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5()
On Monday 23 December 2002 14:38, Edward Peloke wrote: [...] Can I reverse md5()? No. You could only send the user a new password wich must be activated. johannes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] md5()
Thanks Johannes and Chris! That is what I will do. Eddie -Original Message- From: Johannes Schlueter [mailto:[EMAIL PROTECTED]] Sent: Monday, December 23, 2002 8:36 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] md5() On Monday 23 December 2002 14:38, Edward Peloke wrote: [...] Can I reverse md5()? No. You could only send the user a new password wich must be activated. johannes -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5 question
On Friday 06 December 2002 15:41, conbud wrote: Hey. Is there a way to get the actual word/phrase from the long string that the md5 hash creates. Lets say, is there a way find out what b9f6f788d4a1f33a53b2de5d20c338ac stands for in actuall words ? Consider this, md5() takes (practically) any size of string as input and returns a 32 char string. So you give it a 1MB string and in return you get a 32 byte string -- how on earth are you going to reverse this process and get your original 1MB string from your measly 32 byte string? -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* Ubi non accusator, ibi non judex. (Where there is no police, there is no speed limit.) -- Roman Law, trans. Petr Beckmann (1971) */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5 question
On Fri, 6 Dec 2002, conbud wrote: Hey. Is there a way to get the actual word/phrase from the long string that the md5 hash creates. Lets say, is there a way find out what b9f6f788d4a1f33a53b2de5d20c338ac stands for in actuall words ? In all cases, an md5sum string means, You've got better things to do besides trying to figure out what this string means, trust me. ;) Check RFC 1321. http://www.ietf.org/rfc/rfc1321.txt ~Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() ...
Show us the output of: select login, password from user where login='sysdata'; My guess is that the password is not 1b1c2457d12dd976d4cfa556ac6661f6 - the md5 of sysdata. Chris Reymond wrote: I have login = sysdata and password = sysdata on md5 function How to select md5 function mysql select COUNT(*) AS result from User where login = sysdata and password = md5(sysdata); +---+ | result | +---+ | 0 | +---+ 1 row in set (0.00 sec) I wanna the result display 1 like this one mysql select COUNT(*) AS result from User where login = sysdata; ++ | result | ++ | 1 | ++ 1 row in set (0.00 sec) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] md5() ...
This is output... select login, password from User where login = 'sysdata'; +-+--+ | login | password | +-+--+ | sysdata | 1b1c2457d12dd976d4cf | +-+--+ 1 row in set (0.00 sec) Cause I just password's field int(20) ..?? -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 11:17 AM To: Reymond Cc: [EMAIL PROTECTED] Subject: Re: [PHP] md5() ... Show us the output of: select login, password from user where login='sysdata'; My guess is that the password is not 1b1c2457d12dd976d4cfa556ac6661f6 - the md5 of sysdata. Chris Reymond wrote: I have login = sysdata and password = sysdata on md5 function How to select md5 function mysql select COUNT(*) AS result from User where login = sysdata and password = md5(sysdata); +---+ | result | +---+ | 0 | +---+ 1 row in set (0.00 sec) I wanna the result display 1 like this one mysql select COUNT(*) AS result from User where login = sysdata; ++ | result | ++ | 1 | ++ 1 row in set (0.00 sec) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] md5() ...
Upss sorry... My password's field Varchar(20) ... -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 11:17 AM To: Reymond Cc: [EMAIL PROTECTED] Subject: Re: [PHP] md5() ... Show us the output of: select login, password from user where login='sysdata'; My guess is that the password is not 1b1c2457d12dd976d4cfa556ac6661f6 - the md5 of sysdata. Chris Reymond wrote: I have login = sysdata and password = sysdata on md5 function How to select md5 function mysql select COUNT(*) AS result from User where login = sysdata and password = md5(sysdata); +---+ | result | +---+ | 0 | +---+ 1 row in set (0.00 sec) I wanna the result display 1 like this one mysql select COUNT(*) AS result from User where login = sysdata; ++ | result | ++ | 1 | ++ 1 row in set (0.00 sec) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() ...
Yeah, that's a little short for md5, plus you want to allow alphabetic characters, too. Try varchar(32). Happy hacking. Chris Reymond wrote: This is output... select login, password from User where login = 'sysdata'; +-+--+ | login | password | +-+--+ | sysdata | 1b1c2457d12dd976d4cf | +-+--+ 1 row in set (0.00 sec) Cause I just password's field int(20) ..?? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] md5() ...
Thank you... I got it... :) -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 11:44 AM To: Reymond Cc: [EMAIL PROTECTED] Subject: Re: [PHP] md5() ... Yeah, that's a little short for md5, plus you want to allow alphabetic characters, too. Try varchar(32). Happy hacking. Chris Reymond wrote: This is output... select login, password from User where login = 'sysdata'; +-+--+ | login | password | +-+--+ | sysdata | 1b1c2457d12dd976d4cf | +-+--+ 1 row in set (0.00 sec) Cause I just password's field int(20) ..?? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5 php vs. md5 perl
On Sun, 16 Jun 2002, Danny Kruitbosch wrote: -Hi, - -I'm trying to rewrite a perl finction to php. The function uses Digest::MD5. - -PHP md5() returns a 32 char hex number. The perl Digest::MD5 function -returns a 16 char (ascii??) string. Can I also get this from PHP? If so -how do I do that? 32 hex characters describes the 128 bit result from the MD5 routine no matter where it is run: PHP, Shell, whatever. This assumes one hex character stands for 4 bits = 32 x 4 = 128. This is the usual way of handling MD5 hashes as this is simple 7 bit ascii characters use to describe the hex numerals 0-9, A, B, C, D, E, and F. If you use a full byte then you get 8 bits * 16 = 128. This result is an extended ascii string which may or may not be difficult to handle with built-in PHP functions. You could write a routine that combines every two hex characters into one byte by converting the right hex to its numerical value (0 to 15), the left bit to its numerical value * 16, add them together to get the resulting byte value (0 to 255) and use it to build your 16 byte result. This should get you compatibility between the two different ways of describing MD5 hashes. - -My ultimate goal is to have compatible PHP/Perl functions. - - -Thanks! - -Danny - - --- -PHP General Mailing List (http://www.php.net/) -To unsubscribe, visit: http://www.php.net/unsub.php - ** John Huggins VANet [EMAIL PROTECTED] http://www.va.net/ ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5() different from md5sum on Linux
hehehyou forgot something :) echo blah is actually blah\n # echo -n blah |md5sum 6f1ed002ab5595859014ebf0951522d9 stdin -d Mikhail Avrekh wrote: Hello, Don't know if this is a question of (mis)configuration; I'm posting this just in case someone had run into this before: PHP's native md5() appears to return a different value from Linux's md5sum command: [mavrekh ~]$ echo blah | md5sum 0d599f0ec05c3bda8c3b8a68c32a1b47 - [mavrekh ~]$ php testmd5.php X-Powered-By: PHP/4.0.3pl1 Content-type: text/html 6f1ed002ab5595859014ebf0951522d9 [mavrekh ~]$ cat testmd5.php ?=md5(blah)? I've tried it without the quotes too, or with single quotes. I wonder if this is something that can be configured at compile time ? I'm using PHP/4.0.3pl1 RedHat7.1 Thanks ! M. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5 decrypt
On Wed, 5 Dec 2001, Dan McCullough wrote: -Is there away to take a md5 encrypted password and decrypt it and give that to the client, if they -fogot their password. No. - -= -dan mccullough - -Theres no such thing as a problem unless the servers are on fire! - - -__ -Do You Yahoo!? -Buy the perfect holiday gifts at Yahoo! Shopping. -http://shopping.yahoo.com - --- -PHP General Mailing List (http://www.php.net/) -To unsubscribe, e-mail: [EMAIL PROTECTED] -For additional commands, e-mail: [EMAIL PROTECTED] -To contact the list administrators, e-mail: [EMAIL PROTECTED] - ** John Huggins VANet 7101 Oriole Avenue Springfield, VA 22150 703-912-6453 703-912-4831 fax [EMAIL PROTECTED] http://www.va.net/ ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 decrypt
I'm pretty sure you can't. You would have to set up an area where they can have their password reset and the new password emailed to their email address. Jeff - Original Message - From: Dan McCullough [EMAIL PROTECTED] To: PHP General List [EMAIL PROTECTED] Sent: Wednesday, December 05, 2001 2:21 PM Subject: [PHP] md5 decrypt Is there away to take a md5 encrypted password and decrypt it and give that to the client, if they fogot their password. = dan mccullough Theres no such thing as a problem unless the servers are on fire! __ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 decrypt
Dan McCullough [EMAIL PROTECTED] wrote: Is there away to take a md5 encrypted password and decrypt it and give that to the client, if they fogot their password. Short answer is no, long answer below. I just answered this on another list 10 minutes ago so I'm pasting in part of my reply unedited. You could use something like John the Ripper, which is a password cracker you can install on the server. It works by taking a list of words, word-number combinations, etc. from a dictionary and encrypting them, then comparing the encrypted results with the encrypted passwords stored on your server. If there's a match it notes the cracked password. It's good for detecting weak passwords and can actually detect them very quickly, but if the passwords are strong then it's not effective for your purposes (that's a good thing) since by the time it cracked the password (if it did) your user would have likely taken their business elsewhere. On a few servers I manage I run it periodically to check for weak passwords, then I contact the users with weak passwords and ask that they change them. John the Ripper: http://www.openwall.com/john/ -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 on different platform
excuse my ignorance on that field, but if I use md5 in a java server page (jsp), can I decrypt it in php ? Is the implemantation of md5 the same on both language ? Sure, but you don't decrypt md5. You md5 again and compare the two md5's -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 on different platform
Sorry, I meant compare and I wrote decrypt, We will: - encrypt in jsp - compare in php I am curious about the should you wrote py - Original Message - From: Joe Conway [EMAIL PROTECTED] To: pierre-yves [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, August 04, 2001 10:03 PM Subject: Re: [PHP] md5 on different platform excuse my ignorance on that field, but if I use md5 in a java server page (jsp), can I decrypt it in php ? Is the implemantation of md5 the same on both language ? Well . . . the implementations *should* produce the same result, but md5 is a *one-way* hash function -- i.e. you cannot decrypt it at all. -- Joe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
Yeah, I'm getting 2 and 0. Lame. What's the answer to this. Go back to your PHP source directory and start digging through config.log and config.cache or even re-run the configure to see what's going on with various crypt libraries. If you installed them in a non-standard place, maybe PHP just ain't finding them. You may even need to dig into the Makefiles to figure out where PHP expects them and make some sym-links so configure can find them. Don't forget make clean and rm config.cache -- WARNING [EMAIL PROTECTED] address is an endangered species -- Use [EMAIL PROTECTED] Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
This is all better now. I compiled with libmcrypt and php-4.0.6 at the same time, so I'm not sure exactly which caused the fix, but it works now. Also, the perl module I was using seemed to generate apache stype md5 hash, which is another reason why authenticating with postgres and md5 hashes wasn't working when just inserting hashes generated with Crypt::PasswdMD5. Php and openssl passwd -1 generate the correct system hashes. Everything is good. -jeremy On Tue, 17 Jul 2001, tc lewis wrote: On Tue, 17 Jul 2001, Jeremy Hansen wrote: On Tue, 17 Jul 2001, tc lewis wrote: try: php echo(CRYPT_SALT_LENGTH); ? php echo(CRYPT_MD5); ? or: php echo constant(CRYPT_SALT_LENGTH); ? php echo constant(CRYPT_MD5); ? you should get output of 12 and 1 (not 2 and 0) if md5 is supported in crypt(), i think. Yeah, I'm getting 2 and 0. Lame. What's the answer to this. i'm not sure. i don't see any related configure flags or php.ini settings. it seems to work with standard redhat 7.1 linux (i'm assuming you're using some redhat-ish system, as i know you): [tcl@jobo tcl]$ cat nog.php #!/usr/bin/php ?php echo(constant('CRYPT_SALT_LENGTH')); ? ?php echo(\n); ? ?php echo(constant('CRYPT_MD5')); ? ?php echo(\n); ? ?php echo(crypt('teststr', 'testsalt')); ? ?php echo(\n); ? ?php echo(crypt('teststr', '$1$testsalt$')); ? ?php echo(\n); ? [tcl@jobo tcl]$ ./nog.php X-Powered-By: PHP/4.0.4pl1 Content-type: text/html 2 1 te4c1aD5wKOnM $1$testsalt$W00xFyq3oO6fDqto9qMY00 [tcl@jobo tcl]$ any suggestions from the rest of the list? you could try using the mhash library stuff instead. blah. -tcl. -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
not sure if you've gotten any help on this yet. perhaps test the CRYPT_SALT_LENGTH and CRYPT_MD5 constants to make sure that your system and compiled php support md5 via crypt(). also, what salts did you try? note the comments at the bottom of http://php.net/manual/en/function.crypt.php about double-quoting $1$ and how it may be interpreted and how to escape the $ characters. also, i'm not sure if you need a $ character at the end of the salt string like in some of the examples on those comments or not. unfortunately, i don't have a system with php running right now to test. you may also want to investigate http://php.net/manual/en/ref.mhash.php depending on what kind of functionality you need. my guess is that crypt() would be suitable for you if it worked properly. -tcl. On Tue, 17 Jul 2001, Jeremy Hansen wrote: I'd like to use php to do what I'm able to do in perl. use String::Random; use Crypt::PasswdMD5; $foo = new String::Random; $rand = $foo-randpattern(ss); print Type in your password: ; $password = STDIN; $hash = unix_md5_crypt($password,$rand); $salt = substr($hash,3,2); print SUBSTR: $salt\n; print HASH: $hash\n; print SALT: $rand\n; print Type in your password: ; $password_verify = STDIN; $hash_verify = unix_md5_crypt($password_verify,$salt); if ($hash eq $hash_verify) { print Good to go!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } else { print You fuckered it up!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } srv1:~$ ./crypt.pl Type in your password: password SUBSTR: Kd HASH: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 SALT: Kd Type in your password: password Good to go! HASH BEFORE: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 HASH AFTER: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 I've looked at crypt() in php and it claims that if you pass it a salt that resembles $1$ format, it should generate an md5 type hash, but this doesn't seem to be the case for me. The crypt only looks at the first two characters of the salt, no matter what, so my salt never changes because it just seems $1. Thanks for explaining what I'm doing wrong. -jeremy -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
Well, I'm assuming, perhaps incorrectly that the perl modules I used derived its md5 capabilities from the system. I did see all the comments on the crypt() page and basically copied each one. When passing a md5 looking salt, crypt() doesn't seem to do anything special with it and my salt remains the same, first two character are taken like regular des. How would I go about testing the CRYPT_SALT_LENGTH and CRYPT_MD5 constants. Thanks -jeremy On Tue, 17 Jul 2001, tc lewis wrote: not sure if you've gotten any help on this yet. perhaps test the CRYPT_SALT_LENGTH and CRYPT_MD5 constants to make sure that your system and compiled php support md5 via crypt(). also, what salts did you try? note the comments at the bottom of http://php.net/manual/en/function.crypt.php about double-quoting $1$ and how it may be interpreted and how to escape the $ characters. also, i'm not sure if you need a $ character at the end of the salt string like in some of the examples on those comments or not. unfortunately, i don't have a system with php running right now to test. you may also want to investigate http://php.net/manual/en/ref.mhash.php depending on what kind of functionality you need. my guess is that crypt() would be suitable for you if it worked properly. -tcl. On Tue, 17 Jul 2001, Jeremy Hansen wrote: I'd like to use php to do what I'm able to do in perl. use String::Random; use Crypt::PasswdMD5; $foo = new String::Random; $rand = $foo-randpattern(ss); print Type in your password: ; $password = STDIN; $hash = unix_md5_crypt($password,$rand); $salt = substr($hash,3,2); print SUBSTR: $salt\n; print HASH: $hash\n; print SALT: $rand\n; print Type in your password: ; $password_verify = STDIN; $hash_verify = unix_md5_crypt($password_verify,$salt); if ($hash eq $hash_verify) { print Good to go!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } else { print You fuckered it up!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } srv1:~$ ./crypt.pl Type in your password: password SUBSTR: Kd HASH: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 SALT: Kd Type in your password: password Good to go! HASH BEFORE: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 HASH AFTER: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 I've looked at crypt() in php and it claims that if you pass it a salt that resembles $1$ format, it should generate an md5 type hash, but this doesn't seem to be the case for me. The crypt only looks at the first two characters of the salt, no matter what, so my salt never changes because it just seems $1. Thanks for explaining what I'm doing wrong. -jeremy -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
On Tue, 17 Jul 2001, tc lewis wrote: try: php echo(CRYPT_SALT_LENGTH); ? php echo(CRYPT_MD5); ? or: php echo constant(CRYPT_SALT_LENGTH); ? php echo constant(CRYPT_MD5); ? you should get output of 12 and 1 (not 2 and 0) if md5 is supported in crypt(), i think. you compiled php on the system it's running on? if you used a binary rpm or something, and the system it was compiled on didn't support md5, then it won't work. This I built from source. Hmm, if it uses system crpyt() then would using mcrypt libs help with this? I'll try the above. -jeremy -tcl. On Tue, 17 Jul 2001, Jeremy Hansen wrote: Well, I'm assuming, perhaps incorrectly that the perl modules I used derived its md5 capabilities from the system. I did see all the comments on the crypt() page and basically copied each one. When passing a md5 looking salt, crypt() doesn't seem to do anything special with it and my salt remains the same, first two character are taken like regular des. How would I go about testing the CRYPT_SALT_LENGTH and CRYPT_MD5 constants. Thanks -jeremy On Tue, 17 Jul 2001, tc lewis wrote: not sure if you've gotten any help on this yet. perhaps test the CRYPT_SALT_LENGTH and CRYPT_MD5 constants to make sure that your system and compiled php support md5 via crypt(). also, what salts did you try? note the comments at the bottom of http://php.net/manual/en/function.crypt.php about double-quoting $1$ and how it may be interpreted and how to escape the $ characters. also, i'm not sure if you need a $ character at the end of the salt string like in some of the examples on those comments or not. unfortunately, i don't have a system with php running right now to test. you may also want to investigate http://php.net/manual/en/ref.mhash.php depending on what kind of functionality you need. my guess is that crypt() would be suitable for you if it worked properly. -tcl. On Tue, 17 Jul 2001, Jeremy Hansen wrote: I'd like to use php to do what I'm able to do in perl. use String::Random; use Crypt::PasswdMD5; $foo = new String::Random; $rand = $foo-randpattern(ss); print Type in your password: ; $password = STDIN; $hash = unix_md5_crypt($password,$rand); $salt = substr($hash,3,2); print SUBSTR: $salt\n; print HASH: $hash\n; print SALT: $rand\n; print Type in your password: ; $password_verify = STDIN; $hash_verify = unix_md5_crypt($password_verify,$salt); if ($hash eq $hash_verify) { print Good to go!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } else { print You fuckered it up!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } srv1:~$ ./crypt.pl Type in your password: password SUBSTR: Kd HASH: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 SALT: Kd Type in your password: password Good to go! HASH BEFORE: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 HASH AFTER: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 I've looked at crypt() in php and it claims that if you pass it a salt that resembles $1$ format, it should generate an md5 type hash, but this doesn't seem to be the case for me. The crypt only looks at the first two characters of the salt, no matter what, so my salt never changes because it just seems $1. Thanks for explaining what I'm doing wrong. -jeremy -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
On Tue, 17 Jul 2001, tc lewis wrote: try: php echo(CRYPT_SALT_LENGTH); ? php echo(CRYPT_MD5); ? or: php echo constant(CRYPT_SALT_LENGTH); ? php echo constant(CRYPT_MD5); ? you should get output of 12 and 1 (not 2 and 0) if md5 is supported in crypt(), i think. Yeah, I'm getting 2 and 0. Lame. What's the answer to this. -jeremy you compiled php on the system it's running on? if you used a binary rpm or something, and the system it was compiled on didn't support md5, then it won't work. -tcl. On Tue, 17 Jul 2001, Jeremy Hansen wrote: Well, I'm assuming, perhaps incorrectly that the perl modules I used derived its md5 capabilities from the system. I did see all the comments on the crypt() page and basically copied each one. When passing a md5 looking salt, crypt() doesn't seem to do anything special with it and my salt remains the same, first two character are taken like regular des. How would I go about testing the CRYPT_SALT_LENGTH and CRYPT_MD5 constants. Thanks -jeremy On Tue, 17 Jul 2001, tc lewis wrote: not sure if you've gotten any help on this yet. perhaps test the CRYPT_SALT_LENGTH and CRYPT_MD5 constants to make sure that your system and compiled php support md5 via crypt(). also, what salts did you try? note the comments at the bottom of http://php.net/manual/en/function.crypt.php about double-quoting $1$ and how it may be interpreted and how to escape the $ characters. also, i'm not sure if you need a $ character at the end of the salt string like in some of the examples on those comments or not. unfortunately, i don't have a system with php running right now to test. you may also want to investigate http://php.net/manual/en/ref.mhash.php depending on what kind of functionality you need. my guess is that crypt() would be suitable for you if it worked properly. -tcl. On Tue, 17 Jul 2001, Jeremy Hansen wrote: I'd like to use php to do what I'm able to do in perl. use String::Random; use Crypt::PasswdMD5; $foo = new String::Random; $rand = $foo-randpattern(ss); print Type in your password: ; $password = STDIN; $hash = unix_md5_crypt($password,$rand); $salt = substr($hash,3,2); print SUBSTR: $salt\n; print HASH: $hash\n; print SALT: $rand\n; print Type in your password: ; $password_verify = STDIN; $hash_verify = unix_md5_crypt($password_verify,$salt); if ($hash eq $hash_verify) { print Good to go!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } else { print You fuckered it up!\n; print HASH BEFORE: $hash\n; print HASH AFTER: $hash_verify\n; } srv1:~$ ./crypt.pl Type in your password: password SUBSTR: Kd HASH: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 SALT: Kd Type in your password: password Good to go! HASH BEFORE: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 HASH AFTER: $1$Kd$T9I3jUnJvGy0Ekfg2VobM0 I've looked at crypt() in php and it claims that if you pass it a salt that resembles $1$ format, it should generate an md5 type hash, but this doesn't seem to be the case for me. The crypt only looks at the first two characters of the salt, no matter what, so my salt never changes because it just seems $1. Thanks for explaining what I'm doing wrong. -jeremy -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
On Tue, 17 Jul 2001, Jeremy Hansen wrote: On Tue, 17 Jul 2001, tc lewis wrote: try: php echo(CRYPT_SALT_LENGTH); ? php echo(CRYPT_MD5); ? or: php echo constant(CRYPT_SALT_LENGTH); ? php echo constant(CRYPT_MD5); ? you should get output of 12 and 1 (not 2 and 0) if md5 is supported in crypt(), i think. Yeah, I'm getting 2 and 0. Lame. What's the answer to this. i'm not sure. i don't see any related configure flags or php.ini settings. it seems to work with standard redhat 7.1 linux (i'm assuming you're using some redhat-ish system, as i know you): [tcl@jobo tcl]$ cat nog.php #!/usr/bin/php ?php echo(constant('CRYPT_SALT_LENGTH')); ? ?php echo(\n); ? ?php echo(constant('CRYPT_MD5')); ? ?php echo(\n); ? ?php echo(crypt('teststr', 'testsalt')); ? ?php echo(\n); ? ?php echo(crypt('teststr', '$1$testsalt$')); ? ?php echo(\n); ? [tcl@jobo tcl]$ ./nog.php X-Powered-By: PHP/4.0.4pl1 Content-type: text/html 2 1 te4c1aD5wKOnM $1$testsalt$W00xFyq3oO6fDqto9qMY00 [tcl@jobo tcl]$ any suggestions from the rest of the list? you could try using the mhash library stuff instead. blah. -tcl. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] md5 crypt question
On Tue, 17 Jul 2001, tc lewis wrote: On Tue, 17 Jul 2001, Jeremy Hansen wrote: On Tue, 17 Jul 2001, tc lewis wrote: try: php echo(CRYPT_SALT_LENGTH); ? php echo(CRYPT_MD5); ? or: php echo constant(CRYPT_SALT_LENGTH); ? php echo constant(CRYPT_MD5); ? you should get output of 12 and 1 (not 2 and 0) if md5 is supported in crypt(), i think. Yeah, I'm getting 2 and 0. Lame. What's the answer to this. i'm not sure. i don't see any related configure flags or php.ini settings. it seems to work with standard redhat 7.1 linux (i'm assuming you're using some redhat-ish system, as i know you): This is confusing. I'm actually using rh6.2 on this particular install. Older glibc have something to do with crypt() implimentations? thanks -jeremy [tcl@jobo tcl]$ cat nog.php #!/usr/bin/php ?php echo(constant('CRYPT_SALT_LENGTH')); ? ?php echo(\n); ? ?php echo(constant('CRYPT_MD5')); ? ?php echo(\n); ? ?php echo(crypt('teststr', 'testsalt')); ? ?php echo(\n); ? ?php echo(crypt('teststr', '$1$testsalt$')); ? ?php echo(\n); ? [tcl@jobo tcl]$ ./nog.php X-Powered-By: PHP/4.0.4pl1 Content-type: text/html 2 1 te4c1aD5wKOnM $1$testsalt$W00xFyq3oO6fDqto9qMY00 [tcl@jobo tcl]$ any suggestions from the rest of the list? you could try using the mhash library stuff instead. blah. -tcl. -- salad. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MD5 password
On Fri, 4 May 2001, Thimo von Rauchhaupt wrote: Hi there assume that I had a password field in md5 format like this $1$uJ8d$jJKOHnfh^79824/. how do i compare an input password to the password that I sore in database so it can return right or wrong password Just compare the md5 hashed password with the md5 hashed string from the database. If the password is like the string, the hashes must equal, too. Do _not_ store the password in the database as it is. Instead, store the md5 hash of the password and compare the md5 hash of user input with _that_. Anuradha -- a href=http://www.bee.lk/people/anuradha/;home page/a -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MD5 password
Get Input password into $pwd Get hashed password from db into $hashed_pwd do compare like: if (md5($pwd) == $hashed_pwd) { // good! } Yamin Prabudy [EMAIL PROTECTED] wrote in message 004901c0d462$ff394240$[EMAIL PROTECTED]">news:004901c0d462$ff394240$[EMAIL PROTECTED]... Hi there assume that I had a password field in md5 format like this $1$uJ8d$jJKOHnfh^79824/. how do i compare an input password to the password that I sore in database so it can return right or wrong password thanks Yamin Prabudy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MD5 password
Hi there assume that I had a password field in md5 format like this $1$uJ8d$jJKOHnfh^79824/. how do i compare an input password to the password that I sore in database so it can return right or wrong password Just compare the md5 hashed password with the md5 hashed string from the database. If the password is like the string, the hashes must equal, too. The difficult lies IMHO in hashing the password on client side. There are Javascripts-Modules out there in the Net, but this is rather unsecure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MD5 / crypt
Dan Harrington wrote: What is the best way to encrypt/decrypt strings when passing between php pages? If your encryption is meant to be anything near secure, there is only one way: DON'T GET or POST-Parameters are for user-input. Handing information over to the client and taking it back later is a potential security leak. If you have no means of revalidating the information after it crossed the so called trust boundary, you should't do it. Send a handler, some random and unique (nothing like 1,2,3 or a,b,c) identifier and store the critical information in a session variable or somewhere else. I am using md5 and currently get strings that produce "unprintable" characters or characters like slashes or other things that could interfere with the passing between php pages. (e.g. http://server.asdf/action.php?args=encryptedstring ) e.g. 5V"g\7`Qv1Sc]aVQ4a6#bWSbU!f_4V1QvPaUe 5Q!c b Just urlencode() these strings before adding them to the URL. regards Wagner -- Three may keep a secret, if two of them are dead. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] MD5 / crypt
GET or POST-Parameters are for user-input. Handing information over to the client and taking it back later is a potential security leak. If you have no means of revalidating the information after it crossed the so called trust boundary, you should't do it. Send a handler, some random and unique (nothing like 1,2,3 or a,b,c) identifier and store the critical information in a session variable or somewhere else. In spamwhack, I have secure access using this technique. On login I pass you a cookie (10 digit random number, base 16) store the cookie in the database marked invalid, and take your username and password. On submit, I check the username and password against the database, also the originating IP address, to see if it's in-range for that account. If so, I mark the db entry valid. When you pull up the next page, you get a new random cookie, which is also invalid. I take the cookie you gave me, check against the database. If it matches, and the IP address is still the same, then I mark the new one valid. This happens for every page access in the secure area. You have to hand me the right cookie value, and each cookie is only good for one page. I refresh the same cookie, so as not to fill up the jar impolitely. It's not as complicated as it sounds. The idea is that you can steal a cookie value, but it won't help you, since you'll be from a different IP. If you can grab the cookie value, and forge the IP address, then you can hijack the session. It's never happened yet. Other fun: On login, after a couple tries, the script goes into a mode where even the correct password will be rejected. It also sends emails to me, and to the account holder, that someone is messing with it. I put a randomised delay in the passord script as well, so that it's not obvious wether you're being accepted or rejected until the script finishes, so as to foil automated attempts to speed up a dictionary attack. There's more, but :) -- Dave's Engineering Page: http://www.dvanhorn.org Where's dave? http://www.findu.com/cgi-bin/find.cgi?kc6ete-9 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] MD5 / crypt
If your encryption is meant to be anything near secure, there is only one way: DON'T Well, this is true. I kinda just want to be able to pass things back and forth without giving the average user the ability to even have a clue as to what I am doing. If they can't see, they will have less likely the ability to hack. I mainly am talking about things like passing variables between sequential pages in an image gallery, nothing too personal :-) I eventually do want to get into credit card processing, but that is down the road a while, and probably am just going to go with a payflow pro or some other turn-key solution. Just urlencode() these strings before adding them to the URL. Thanks! Dan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]