#2 MD5 passwords

closed
None
1
2006-08-23
2006-07-26
No

in INSTALL you write:
* username and password for users in dbmail must
currently be stored as plain text - support for other
encryption methods to come in the future

Do you know MD5 is *very* easy? just put it in MD5()
in the SQL string.

$sql = "SELECT * FROM dbmail_users WHERE
userid='".db_escape_direct($this->email)."' AND
passwd=MD5('".db_escape_direct($this->passw)."')";

Discussion

    • status: open --> pending
     
  • Logged In: YES
    user_id=1453793

    I believe I tried that at one point and it didn't work.

    However that may be because I had copied the entire database
    to a different machine running a different version of MySQL
    for development reasons.

    I will experiment with this again at some point, but I want
    to concentrate first getting the program running correctly.

     
    • priority: 5 --> 4
     
    • status: pending --> open
     
  • Logged In: YES
    user_id=1453793

    Yup I just tried it.

    I created a user using dbmail-users making sure the p flag
    (passwordtype) was set to MD5.

    I then ran the following select statement: SELECT
    MD5('password') AS Encrypted, userid, passwd FROM
    dbmail_users WHERE user_idnr = xx

    There was one row returned as I suspected, but the passwd
    column was different from the Encrypted column - so dbmail
    is most likely using a different MD5 encryption.

    I'll work on converting that to PHP.

     
  • Logged In: YES
    user_id=1453793

    Well I've determined the MD5 encryption used by dbmail and
    should be able to modify the login procedure (and change
    password) to work properly with it.

    The key was the crypt() command.

     
    • priority: 4 --> 1
    • assigned_to: nobody --> borvik
    • status: open --> closed
     
  • Logged In: YES
    user_id=1453793

    MD5 Encrypted passwords now supported.

    Unfortunately while MySQL enables you to salt an encryption
    string in the ENCRYPT function (making pure SQL checking
    possible), I have been unable to find the equivalent in
    PostgreSQL - thus it's all handled in PHP.