PDA

View Full Version : what am I doing wrong in the password script

dynamot
10-02-2007, 09:49 PM
Hi All,

I am a beginner lvl prgmr

I am trying to fire a query to the user table in the database. My goal is to display the value of password as "Orig text", as the passwords are encrypted in the database table.

What am I doing wrong? Can you take a look at the line 14
"$password2 = md5(md5($pass['password']) . $pass['salt']); " Is this correct?
I am unable to show the passwords in simple text.

I am running vBulletin 3.68

<?php
mysql_connect("your.hostaddress.com", "username", "password") or die(mysql_error());
mysql_select_db("Database_Name") or die(mysql_error());

$data = mysql_query("SELECT * FROM user")
or die(mysql_error());
Print "<table border cellpadding=3>";
while($pass = mysql_fetch_array( $data ))
{
Print "<tr>";
Print "<th>UserName:</th> <td>".$pass['username'] . "</td> ";

$password2 = md5(md5($pass['password']) . $pass['salt']);
Print "<th>As stored in db</th> <td>".$pass['password'] . "</td> ";
Print "<th>Clear text password:</th> <td>".$password2. "</td> ";

Print "<th>salt:</th> <td>".$pass['salt'] . " </td></tr>";
}
Print "</table>";
?>

Tx in advance
Analogpoint
10-03-2007, 12:28 AM
You said it yourself- the passwords are encrypted and cannot be show in plain text.
dynamot
10-03-2007, 01:16 AM
Ok, I understand that since they are encrypted, the passwords cant be seen in "Orig Text". So is the encryption taking place at the MySql server level or is it in php?

sorry, am a newbie in php, hence these kinda questions ;)
Analogpoint
10-03-2007, 01:25 AM
In php. the md5 function is used to encrypt the password, which is then saved in the database. To check the user's password when they log in, it's md5ed and then that hash is compared with what's stored in the database.
dynamot
10-03-2007, 02:03 AM
Got it. That makes a sense.
Tx much

but for my general knowledge purposes, if you use something to encrypt, isnt there something else to decrypt it?

Or is the whole concept of decrypting a whole different science?
Dismounted
10-03-2007, 05:27 AM
By default, the passwords are sent to the server hashed once. So not even the server knows the plain-text.

The correct terminology is actually "hash" instead of "encrypt". Although encrypt is widely used and regarded as correct anyway. MD5 is a "one-way" hash, there are ways to retrieve the original text, but in no way is it "decrypting".
Paul M
10-03-2007, 06:58 AM
There are ways to try and guess the original text - but you can never be sure, because all they do is try and find text that generates the same hash, it may not actually be the same text you end up with (in the case of passwords that doesn't really matter of course, as long as it works).
dynamot
10-03-2007, 11:16 AM
Thank you all very much.

This has been very useful session for me.