[ciapug] md5 function

carl-olsen at mchsi.com carl-olsen at mchsi.com
Mon Apr 16 13:52:16 CDT 2007 

I see I didn't explain this very well.

The user types their password into a form in their web browser.

The password gets sent over the Internet to the web server.

I'm using PHP to run the PHP md5 function on the $_POST variable and then inserting the 32 character string into an SQL statement.

 -------------- Original message ----------------------
From: Tony Bibbs <tony at tonybibbs.com>
> 1) don't use MD5, use SHA
> 2) avoid using DB functions that aren't part of the SQL standard.  PHP includes 
> functions to do both MD5 and SHA and using them makes your database more 
> portable.
> 
> --Tony
> 
> ----- Original Message ----
> From: "carl-olsen at mchsi.com" <carl-olsen at mchsi.com>
> To: ciapug at cialug.org
> Sent: Monday, April 16, 2007 12:55:24 PM
> Subject: [ciapug] md5 function
> 
> I¢m using md5 to encrypt passwords in MySQL.  There are two stages to this.  The 
> first stage is when the user types their password into a form input text field 
> in their browser and submits the page to the remote server.  After the page 
> submits, the password is retrieved as one of the $_POST array variables and 
> converted to the md5 32-character version and then used in an SQL statement to 
> either add, update, or check the database for a match.
> 
> I can see how this makes the connection to the database more secure, but it 
> still gets posted from the client to the server as a plain text password.  The 
> client is sitting at their computer 10 miles away from the server and they 
> submit their password as plain text.  What makes that any more secure than the 
> round trip from the web server to the database?
> 
> This has always confused me.  It seems like the md5 function isn¢t really doing 
> much.
> 
> It seems like the only solution is to use https any time you have a password 
> field in a form.  Is that correct?
> 
> Carl Olsen
> Des Moines, IA
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
> 
> 
> 
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug

More information about the ciapug mailing list