On Wed, Sep 21, 2011 at 13:53, Dotan Cohen <dotancohen@xxxxxxxxx> wrote:
> I have an application in which the password is stored in the database
> as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
> entered with:
> $password=md5( md5('$_POST['password']').'userSpecificSalt' );
> $query="SELECT id FROM table WHERE password='{$password}'";
>
> Now I'm a bit queasy about not using mysql_real_escape_string() on
> that $password variable! Please reassure me or tell me the folly of my
> ways. Thanks!
It never hurts to be overly cautious, but as MD5 hashes are
strictly alphanumeric (using hex characters), you won't have an issue
with injection with the code above. That is, of course, unless your
version of PHP is rebuilt without MD5 hash support, or some other
oddity that is on the outside edge of possibility.
--
</Daniel P. Brown>
Network Infrastructure Manager
http://www.php.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
