LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (http://www.linuxquestions.org/questions/programming-9/)
-   -   MD5 password changes checksum when entered into database. (http://www.linuxquestions.org/questions/programming-9/md5-password-changes-checksum-when-entered-into-database-106450/)

Pcghost 10-20-2003 05:02 PM

MD5 password changes checksum when entered into database.
 
When we enter a password into our php/html form, and then submit it to Mysql via an UPDATE query with the value hashed by Md5, the checksum in the database is shorter and completely different than the Md5 checksum that we echo on the page for testing.

My question. If a field length is shorter than the checksum submitted to it, will MySQL alter it or is the change taking place somewhere along the way? Has anyone ever seen this before? :confused: :study: :confused: :cry: :tisk: :) :scratch:

Kurt M. Weber 10-20-2003 05:14 PM

If the field length is to small, the data will be truncated to fit.

Meaning the broken sum stored in the database is useless. You just need to lengthen the field.

Pcghost 10-20-2003 06:26 PM

The strange part is it doesn't appear to be truncated as one would expect, it is a completly different checksum. When queried and compared to the longer one they match. This gets more confusing by the minute.

jim mcnamara 10-21-2003 09:02 AM

How did you define the column's datatype with the CREATE statement?

Pcghost 10-21-2003 10:13 AM

It is a Varchar(16) field.

jim mcnamara 10-21-2003 11:04 AM

This is from RSA - part of a test suite for md5
Code:

static void MDString (string)
char *string;
{
  MD_CTX context;
  unsigned char digest[16];
  unsigned int len = strlen (string);

  MDInit (&context);
  MDUpdate (&context, string, len);
  MDFinal (digest, &context);

  printf ("MD%d (\"%s\") = ", MD, string);
  MDPrint (digest);
  printf ("\n");
}
/* Prints a message digest in hexadecimal.
 */
static void MDPrint (digest)
unsigned char digest[16];
{

  unsigned int i;

  for (i = 0; i < 16; i++)
 printf ("%02x", digest[i]);
}

unsigned char *digest[16];
Is the datatype - if you convert to signed accidentally you can have problems. Check your code and compiler defaults for signed/unsigned char

Pcghost 10-21-2003 11:37 AM

Sorry you lost me. What does that mean in laymans terms?

jim mcnamara 10-21-2003 11:46 AM

I'm assuming that you are using the RSA MD5 algorithm, probably written in C. If you have some other code that calls the RSA code, it may be changing datatypes - what I think is happening.

However, I'm guessing. What I think is happening: one flavor of characters is being seamlessly turned into another flavor of characters

How does the MD5 get generated? Then how do you get it (what datatype) from your php code? Do you do some operation like TO_CHAR() on the data?

jim mcnamara 10-21-2003 11:48 AM

From your original question: Answer: Yes, the change is happening somewhere along the way. I think.

Pcghost 10-21-2003 12:31 PM

We are using whatever the latest version of PHP uses for Md5. We are setting a variable = Md5($password) and then using that to run an update query. We then query the database for the value of the field, which returns a 16 character Md5 checksum.


All times are GMT -5. The time now is 11:52 AM.