MD5 password changes checksum when entered into database.

Pcghost · 10-20-2003, 05:02 PM

When we enter a password into our php/html form, and then submit it to Mysql via an UPDATE query with the value hashed by Md5, the checksum in the database is shorter and completely different than the Md5 checksum that we echo on the page for testing.

My question. If a field length is shorter than the checksum submitted to it, will MySQL alter it or is the change taking place somewhere along the way? Has anyone ever seen this before?

Kurt M. Weber · 10-20-2003, 05:14 PM

If the field length is to small, the data will be truncated to fit.

Meaning the broken sum stored in the database is useless. You just need to lengthen the field.

Pcghost · 10-20-2003, 06:26 PM

The strange part is it doesn't appear to be truncated as one would expect, it is a completly different checksum. When queried and compared to the longer one they match. This gets more confusing by the minute.

jim mcnamara · 10-21-2003, 09:02 AM

How did you define the column's datatype with the CREATE statement?

Pcghost · 10-21-2003, 10:13 AM

It is a Varchar(16) field.

jim mcnamara · 10-21-2003, 11:04 AM

This is from RSA - part of a test suite for md5

Code:

static void MDString (string)
char *string;
{
  MD_CTX context;
  unsigned char digest[16];
  unsigned int len = strlen (string);

  MDInit (&context);
  MDUpdate (&context, string, len);
  MDFinal (digest, &context);

  printf ("MD%d (\"%s\") = ", MD, string);
  MDPrint (digest);
  printf ("\n");
}
/* Prints a message digest in hexadecimal.
 */
static void MDPrint (digest)
unsigned char digest[16];
{

  unsigned int i;

  for (i = 0; i < 16; i++)
 printf ("%02x", digest[i]);
}

unsigned char *digest[16];
Is the datatype - if you convert to signed accidentally you can have problems. Check your code and compiler defaults for signed/unsigned char

Pcghost · 10-21-2003, 11:37 AM

Sorry you lost me. What does that mean in laymans terms?

jim mcnamara · 10-21-2003, 11:46 AM

I'm assuming that you are using the RSA MD5 algorithm, probably written in C. If you have some other code that calls the RSA code, it may be changing datatypes - what I think is happening.

However, I'm guessing. What I think is happening: one flavor of characters is being seamlessly turned into another flavor of characters

How does the MD5 get generated? Then how do you get it (what datatype) from your php code? Do you do some operation like TO_CHAR() on the data?

jim mcnamara · 10-21-2003, 11:48 AM

From your original question: Answer: Yes, the change is happening somewhere along the way. I think.

Pcghost · 10-21-2003, 12:31 PM

We are using whatever the latest version of PHP uses for Md5. We are setting a variable = Md5($password) and then using that to run an update query. We then query the database for the value of the field, which returns a 16 character Md5 checksum.