Using of md5 function

Question

On php. How we use md5 encryption method? Suppose a login form. When we want an encrypted text we use

$encryptedtxt=md5('text');

Then we sent this $encryptedtxt to database. Now if we want this $encryptedtxt to compare with user new inputs to login , what should we do? If we should return text from encrypted form of it, how? Tnx.

Answer 1

MD5 is no longer considered safe to use for password hashing, it's 30 years old and is considered "broken".

Use a modern-day method, including prepared statements.

Here are a few articles you can read up on:

• https://security.stackexchange.com/questions/37454/why-are-md5-collisions-dangerous
• https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored

---

Pulled from ircmaxell's answer https://stackoverflow.com/a/29778421/

Just use a library. Seriously. They exist for a reason.

• PHP 5.5+: use password_hash()
• PHP 5.3.7+: use password-compat (a compatibility pack for above
• All others: use phpass

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}