TalkPHP - encryption and security

TalkPHP (http://www.talkphp.com/forums.php)

- Absolute Beginners (http://www.talkphp.com/absolute-beginners/)

- - encryption and security (http://www.talkphp.com/absolute-beginners/3958-encryption-security.html)

encryption and security

Well, I have a bunch of questions to ask, but I will start with this one.

When I read tutorials, articles or topics on the internet about security I often read the following thing:

Code:

<?php 

 

   // escape all data in variables to prevent mysql injection   

  $user = mysql_real_escape_string($user);

  $pass = mysql_real_escape_string($pass);

  $pass = md5($pass);

?>

Now my question, is it really necessary to use the mysql_real_escape_string() function when you will md5() or sha1() the password? Because I always thought you use the mysql_real_escape_string() function to escape special characters into a string by using '\'. But when you use md5() or sha1(), the password itself would be completely encrypted so you wouldn't have to use the mysql_real_escape_string() function?

The code would then become like this:

Code:

<?php

   $user=mysql_real_escape_string($user);

   $pass=md5($pass);

?>

Well I hope you understand my question, since my english isn't perfect but I'm working on it. Thanks! :-)

Yes, you're right. The MD5 function will return a string only ever containing 32 hexadecimal (0-9a-f) characters so there's no need to escape that.

Thank you, I just wanted to know sure.

Although that is correct and there are no security implications in such code, you must remain consistent if you're not going to escape passwords. Take the following as a key example as to why you must remain consistent in either escaping or not escaping:

php Code:

$szString = "'Test'";
echo md5($szString);
echo "\n";
echo md5(mysql_real_escape_string($szString));

As you can see, the two MD5 strings now differ because the former has no slashes, and the latter has slashes to escape the single quotes.