Using of md5 function

Question

On php. How we use md5 encryption method? Suppose a login form. When we want an encrypted text we use

$encryptedtxt=md5('text');

Then we sent this $encryptedtxt to database. Now if we want this $encryptedtxt to compare with user new inputs to login , what should we do? If we should return text from encrypted form of it, how? Tnx.

*"what should we do?"* - If this is for passwords, the answer is simple; **don't use it**. It's 30 years old and not safe to use anymore. Plus, "how-to's" can be found on the Web. Show us what you tried. — Funk Forty Niner, May 24 '15 at 22:17
Tnx! @Fred-ii- is there any other way to secure the password more than normal? — Soroosh Noorzad, May 24 '15 at 22:19
For password storage, use [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. For PHP < 5.5 use the [`password_hash() compatibility pack`](https://github.com/ircmaxell/password_compat). — Funk Forty Niner, May 24 '15 at 22:19
@Fred-ii- one another question , why this is not a deprecated function, when you say that is not so safe? if there is better way , why this is still use by people? tnx for your attention. — Soroosh Noorzad, May 24 '15 at 22:24
I posted an answer for you below, which uses safe methods, in both passwords and MySQL. There are a few links you can read up on why MD5 isn't safe anymore. — Funk Forty Niner, May 24 '15 at 22:27
@Sonoo - It isn't deprecated because md5 has perfectly valid uses still, it's just not good for password hashing — Mark Baker, May 24 '15 at 22:29

score 3 · Accepted Answer · edited May 23 '17 at 12:25

3

MD5 is no longer considered safe to use for password hashing, it's 30 years old and is considered "broken".

Use a modern-day method, including prepared statements.

Here are a few articles you can read up on:

Pulled from ircmaxell's answer https://stackoverflow.com/a/29778421/

Just use a library. Seriously. They exist for a reason.

PHP 5.5+: use password_hash()
PHP 5.3.7+: use password-compat (a compatibility pack for above
All others: use phpass

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}

edited May 23 '17 at 12:25

Community

1
1

answered May 24 '15 at 22:26

Funk Forty Niner

74,450
15
68
141

1

or you could just make as dupe :-) – May 24 '15 at 22:28
1

@Dagon sure, but given the other answer below, I had to give them a "safe" method. OP can do what they want with it; closed question or not. ;-) – Funk Forty Niner May 24 '15 at 22:29
oh we know you just want the easy rep points :-) – May 24 '15 at 22:30
@Dagon points are nice, sure but this isn't about points, it's about giving the OP "the right time of day" ;-) – Funk Forty Niner May 24 '15 at 22:31
So one more point from me, you cannot repeat this too much :-) – martinstoeckli May 25 '15 at 19:11
@martinstoeckli Thank you Martin. I know; even with the so many duplicates on Stack, why is it do they not find it? It's a mystery to me. The Web I guess.... is just far too vast and saturated; *baffled*. - *Cheers* – Funk Forty Niner May 25 '15 at 19:13

Using of md5 function

1 Answers1