[ciapug] md5 function

[Tony Bibbs]

1) don't use MD5, use SHA
2) avoid using DB functions that aren't part of the SQL standard.  PHP includes functions to do both MD5 and SHA and using them makes your database more portable.

--Tony

----- Original Message ----
From: "carl-olsen at mchsi.com" <carl-olsen at mchsi.com>
To: ciapug at cialug.org
Sent: Monday, April 16, 2007 12:55:24 PM
Subject: [ciapug] md5 function

I’m using md5 to encrypt passwords in MySQL.  There are two stages to this.  The first stage is when the user types their password into a form input text field in their browser and submits the page to the remote server.  After the page submits, the password is retrieved as one of the $_POST array variables and converted to the md5 32-character version and then used in an SQL statement to either add, update, or check the database for a match.

I can see how this makes the connection to the database more secure, but it still gets posted from the client to the server as a plain text password.  The client is sitting at their computer 10 miles away from the server and they submit their password as plain text.  What makes that any more secure than the round trip from the web server to the database?

This has always confused me.  It seems like the md5 function isn’t really doing much.

It seems like the only solution is to use https any time you have a password field in a form.  Is that correct?

Carl Olsen
Des Moines, IA
_______________________________________________
ciapug mailing list
ciapug at cialug.org
http://cialug.org/mailman/listinfo/ciapug