ID: 29281 Updated by: [EMAIL PROTECTED] Reported By: n4rf at chello dot nl -Status: Open +Status: Wont fix Bug Type: Feature/Change Request Operating System: Irrelevant PHP Version: Irrelevant New Comment:
What he means is that the haxors can now use the MD5'ed password to connect to your database and read it's contents... so he is right, nothing changed. Previous Comments: ------------------------------------------------------------------------ [2004-07-21 01:05:13] n4rf at chello dot nl You didn't think before posting your reply. Md5 can not be decryptable easily. In fact, when somebody sees a md5 password, he would think twice before trying to force it. The thing which did change, is a person can not just see the plain text login and password and he can not gain access witin a timelimit of minimum 72 hours. ------------------------------------------------------------------------ [2004-07-20 23:51:48] abodeman at yahoo dot com The problem then becomes protecting the MD5 passwords from l33t h4xx0rs. Nothing is changed. ------------------------------------------------------------------------ [2004-07-20 14:27:34] n4rf at chello dot nl Description: ------------ This isn't realy a bug report, but searched PHP.net and couldn't find anything to report this, so I might just report it here. It's about the securety to make a database connection. When you normaly make a MySQL database connection, the login and password can be find (most likely) in the database config file which you include on every page. When some l33t h4xx0rs hack the webhosting company where you host your website, they can find your login and password in the db config file which makes hacking easy. Maybe something can done like the example below and can be included in the next versions of PHP. My idea is to make a database connection using md5 encrypted passwords. This way nobody can understand the login, password and database name when they have owned the database config file. Please check my example below. Note: This idea is not posible when MySQL does not cooperate with PHP.net to make this idea work. MySQL should also make a feature which allows to store md5 encrypted passwords to the config file where the logins and passwords get stored. This is just an idea, hope it's possible.. Didn't figure the idea all out but I think the people of PHP.net en MySQL.com are smart enough to work it out. I'll also post this message at mysql.com. I hope I brought a good idea instead of a stupid one.. :) Reproduce code: --------------- <? $host = "localhost"; $login = md5('login_name'); $pass = md5('login_password'); $dbname = md5('database_name'); if ([EMAIL PROTECTED]($dbname, @mysql_connect($host, $login, $pass))) { echo "<html><head><title>db error</title></head><body> <h1>Database connection failed</h1>\n\n"; echo "Could not establish a connection to the database."; exit(); } ?> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=29281&edit=1