[ciapug] md5 function
carl-olsen at mchsi.com
carl-olsen at mchsi.com
Mon Apr 16 12:55:24 CDT 2007
I’m using md5 to encrypt passwords in MySQL. There are two stages to this. The first stage is when the user types their password into a form input text field in their browser and submits the page to the remote server. After the page submits, the password is retrieved as one of the $_POST array variables and converted to the md5 32-character version and then used in an SQL statement to either add, update, or check the database for a match.
I can see how this makes the connection to the database more secure, but it still gets posted from the client to the server as a plain text password. The client is sitting at their computer 10 miles away from the server and they submit their password as plain text. What makes that any more secure than the round trip from the web server to the database?
This has always confused me. It seems like the md5 function isn’t really doing much.
It seems like the only solution is to use https any time you have a password field in a form. Is that correct?
Carl Olsen
Des Moines, IA
More information about the ciapug
mailing list