Storing md5 hash of a password in database and comparing it

Question

Before inserting data to the database, I encrypted the user name and password like this:

 $userName=strip_tags($userName);
  $pass=strip_tags($pass);

  $userName= htmlentities($userName, ENT_QUOTES, 'UTF-8');
  $pass= htmlentities($pass, ENT_QUOTES, 'UTF-8');


  $userName=mysql_real_escape_string($userName);
  $pass=mysql_real_escape_string($pass);


   $salt = 'SHIFLETT';
   $password_hash = md5($salt . md5($pass.$salt));

This was done to prevent SQL attacks and general SQL injections.

Now I want to check the pass and name the user gives me when logging in. I repeated the same process of escaping character stripping, and escaping special characters. So here is my function to check the pass:

   function validateLogin($user_name, $pass)
   {
  $userName=strip_tags($userName);
  $pass=strip_tags($pass);

  $userName= htmlentities($userName, ENT_QUOTES, 'UTF-8');
  $pass= htmlentities($pass, ENT_QUOTES, 'UTF-8');


  $userName=mysql_real_escape_string($userName);
  $pass=mysql_real_escape_string($pass);


   $salt = 'SHIFLETT';
   $password_hash = md5($salt . md5($pass.$salt));

   $result=mysql_query("SELECT COUNT(*) AS Result FROM users WHERE user_name='$user_name' AND pass='$password_hash'");

   mysql_close();

   if($row=mysql_fetch_array($result))
   {
       if($row['Result']>0)
       {
           echo "Login successful";
       }
       else
       {
           echo "Login unsuccessful";
       }
   }
   }

My question is with all those security precautions, will validation work? will MD5 return the same pass if I used the same MD5 encoding on the insert and then on the select statement?

Answer 1

This question is somewhat old, but There are better alternatives now with php 5.5. The above code is no longer needed. Php 5.5 allows easy creation of password protection built in. And it is almost dumb proof. http://www.php.net/manual/en/function.password-hash.php As you can see just using

password_hash("yourpass", PASSWORD_DEFAULT)

You are using both a random salt and bcrypt at the same time. If you have not updated to the latest versions of php i would suggest doing so now.

Answer 2

For flexibility, you should make a function to hash (not encrypt) your password. Also, use a stronger algorithm than md5 (like sha512 used in my example).

function hashPassword($str)
{
        return hash("sha512", $str . "salt");
}

I also recommend using mysql_real_escape_string.

$password_hash = hashPassword($_POST['password']);
$username = mysql_real_escape_string($_POST['username']);

And use an auto_incremented int instead and select it.

mysql> create table users (
-> id int primary key auto_increment,
-> username varchar(20),
-> password char(128)); 

Then simply compare the returned row with the username and password.

$check = "select id from users where username = '$username' and password = '$password_hash'";
$result = mysql_query($check);

if(mysql_num_rows($result))
{
    echo "<p>Login was successful!</p>\n";
}

To answer your question: yes, comparing a hashed password with a hashed string in the database will work.

Answer 3

$pass=mysql_real_escape_string($pass);

is rather redundant. Even if the password contained an SQL metacharacter (e.g. a '), it'd be gone anyways after your run the password through md5. All this would do is add an extra character to the password string for every escapable character, so it'd be a kind of pseudo-salting.

But otherwise, yes... as long as you do the exact same md5/salting process on passwords everywhere they're used, and only store/compare the resulting hash in the database, then your comparisons will be valid.

Answer 4

Short answer: yes it will match

Long/lecture answer: md5 is weak, constant salt is bad, no need to escape the password prior to hashing, etc.