MD5 and passwords

grashoper has asked for the wisdom of the Perl Monks concerning the following question:

looking to support special characters in my login process for my website, I am using an md5 checker against remedyapi, not sure how to do this, I have a requirement to add support for & into password field.

 sub Auth
  {
    
    #uses arsperl
    #unsets usrVariables
    #selects auth info, compares md5 hashes, sets usrVariables if succ
+essful
    #reloads current page

    use Digest::MD5 qw(md5 md5_hex md5_base64);
    use ARS;
    use OLE;
    $response->write("This is $md5H");
    my ($Site, $User, $md5H) = @_;
    if ($Session->{'trackActivity'}){lg("ACTIVITY","Clear Session User
+ Info (Auth($Site, $User, $md5H))");}
    $Session->{'authenticationMessage'} = "";
    $Session->{'isAuthenticated'} = 0;
    $Session->{'usrID'} = undef;
    $Session->{'usrPassword'} = undef;
    $Session->{'usrName'} = undef;
    $Session->{'usrEmail'} = undef;
    $Session->{'usrSystem'} = undef;
    $Session->{'usrAccount'} = undef;
    $Session->{'usrLevel'} = undef;
    $Session->{'usrType'} = undef;
    $Session->{'usrClass'} = "0";
    $Session->{'trainingDelegate'} = 0;
    $Session->{'usrDayContact'} = undef;
    $Session->{'usrEveningContact'} = undef;
    $Session->{'statsRights'} = 0;
    $Session->{'adminRights'} = 0;
    if ($User)
    {
#      if (!$Site && uc($User) eq "super")
#      {
#        $Site = "sitecode";
#      }
      if (!$Site && uc($User) eq "000")
      {
        $Site = "SEF";
      }
      if ($Site)
      {
        my $sql = "SELECT Name1,           
                          Name2,           
                          Name3,           
                          Email,           
                          SystemID,        
                          AccountID,       
                          AccessLvl,       
                          MLXChange,       
                          PhoneNum,      
                          AltNum,          
                          Password,
                          ContactEmail,
                          ContactNum
                     FROM ARAdmin.MLSUser 
                     WHERE Username = '$User'
                       AND
                         SystemID = '$Site'";
        my $MLSUser = ARSselect($sql);
        if($MLSUser)
        {
          if ($MLSUser->{numMatches} == 1)                            
+           #One User Found
          {
            my $aHash = md5_hex(lc($Session->SessionID().
                                   $User.
                                   @{@{$MLSUser->{rows}}[0]}[10].
                                   $Request->ServerVariables("REMOTE_A
+DDR")->item()));
            if ($aHash eq $md5H)                                      
+           #hashes match
            {
              if ($Session->{'trackActivity'}){lg("ACTIVITY","Set Athe
+nticated User Info Variables (Auth())");}
              $Session->{'isAuthenticated'} = 1;
              $Session->{'usrID'}         = $User;
              $Session->{'usrName'}         = @{@{$MLSUser->{rows}}[0]
+}[0]." ".@{@{$MLSUser->{rows}}[0]}[2];
              if (@{@{$MLSUser->{rows}}[0]}[11])
              {
                $Session->{'usrEmail'}         = @{@{$MLSUser->{rows}}
+[0]}[11];
              }
              else
              {
                $Session->{'usrEmail'}         = @{@{$MLSUser->{rows}}
+[0]}[3];
              }
              $Session->{'usrSystem'}     = @{@{$MLSUser->{rows}}[0]}[
+4];
              $Session->{'usrAccount'}     = @{@{$MLSUser->{rows}}[0]}
+[5];
              $Session->{'usrPassword'}     = @{@{$MLSUser->{rows}}[0]
+}[10];
              $Session->{'usrLevel'}         = @{@{$MLSUser->{rows}}[0
+]}[6];
              if (@{@{$MLSUser->{rows}}[0]}[7] == 2)                  
+           #UserClass
              {
                $Session->{'usrType'}         = "Pro";
              }
              else
              {
                $Session->{'usrType'}         = "Std";
              }
              if (uc($User) eq "NAT")                                 
+           #Permissions Admin,Support,Staff, SysDelegate,AcctDelegate
+,User
              {
                $Session->{'usrClass'}             = "8";
              }
              else
              {
                $Session->{'usrClass'}             = "0";
              }
              Super($Session->{'usrSystem'}, $Session->{'usrID'});  
              if (@{@{$MLSUser->{rows}}[0]}[12])
              {
                $Session->{'usrDayContact'}         = @{@{$MLSUser->{r
+ows}}[0]}[12];
              }
              else
              {
                $Session->{'usrDayContact'}         = @{@{$MLSUser->{r
+ows}}[0]}[8];
              }
              $Session->{'usrEveningContact'}     = @{@{$MLSUser->{row
+s}}[0]}[9];
            }
            else
            {                                                         
+             
              $Session->{'authenticationMessage'} = "Bad UserID/Passwo
+rd";       #hashes dont match
            }    
          }
          else
          {
             $Session->{'authenticationMessage'} = "Unable to Authenti
+cate";     #more than one user,. rare but has happened before
          }
        }
[download]

Comment on MD5 and passwords Download Code

Replies are listed 'Best First'.
Re: MD5 and passwords by jwkrahn (Abbot) on Apr 09, 2008 at 19:23 UTC
`if (!$Site && uc($User) eq "super")` [download] How could `uc($User)` ever be equal to `"super"`? `if (!$Site && uc($User) eq "000")` [download] I didn't know that a zero digit had an upper and lower case. `$Session->{'usrName'} = @{@{$MLSUser->{rows}}[0]}[0]." ".@{@{$ +MLSUser->{rows}}[0]}[2];` [download] Why are you using a list in scalar context? The proper way to write that is: `$Session->{'usrName'} = $MLSUser->{rows}[0][0]." ".$MLSUser->{ +rows}[0][2];` [download] In fact everywhere that you write `@{@{$MLSUser->{rows}}[0]}[n]` should be changed to `$MLSUser->{rows}[0][n]`.	[reply] [d/l] [select]
Re: MD5 and passwords by mr_mischief (Monsignor) on Apr 09, 2008 at 19:34 UTC
I'm not sure I want to digest all of that code to figure out your real question. MD5 is a string hashing algorithm and it handles '&' as part of the strings it hashes just fine. The md5_hex sub offered by Digest::MD5 doesn't appear deficient in this regard at all. Some databases offer an MD5 function if that's what you need. In MySQL for example, you can place `md5( 'foo&bar' )` as a value into an insert, update, select, or delete and the value '44d04b237ba2fdda8b13bc2b119929b6' gets matched against your data. It might be easier to use a feature like that if you're having issues with using MD5 in your Perl code.	[reply] [d/l]
Re: MD5 and passwords by samtregar (Abbot) on Apr 09, 2008 at 18:42 UTC
What did you try? What happened? We're not here to do your job for you! -sam	[reply]