encryption and security

Bram · 02-10-2009, 07:13 PM

Well, I have a bunch of questions to ask, but I will start with this one.

When I read tutorials, articles or topics on the internet about security I often read the following thing:

Code:

<?php 
 
   // escape all data in variables to prevent mysql injection   
  $user = mysql_real_escape_string($user);
  $pass = mysql_real_escape_string($pass);
  $pass = md5($pass);
?>

Now my question, is it really necessary to use the mysql_real_escape_string() function when you will md5() or sha1() the password? Because I always thought you use the mysql_real_escape_string() function to escape special characters into a string by using '\'. But when you use md5() or sha1(), the password itself would be completely encrypted so you wouldn't have to use the mysql_real_escape_string() function?

The code would then become like this:

Code:

<?php
   $user=mysql_real_escape_string($user);
   $pass=md5($pass);
?>

Well I hope you understand my question, since my english isn't perfect but I'm working on it. Thanks!

Salathe · 02-10-2009, 07:37 PM

Yes, you're right. The MD5 function will return a string only ever containing 32 hexadecimal (0-9a-f) characters so there's no need to escape that.

Bram · 02-10-2009, 07:42 PM

Thank you, I just wanted to know sure.

Wildhoney · 02-11-2009, 12:03 AM

Although that is correct and there are no security implications in such code, you must remain consistent if you're not going to escape passwords. Take the following as a key example as to why you must remain consistent in either escaping or not escaping:

php Code:

$szString = "'Test'";
echo md5($szString);
echo "\n";
echo md5(mysql_real_escape_string($szString));

As you can see, the two MD5 strings now differ because the former has no slashes, and the latter has slashes to escape the single quotes.