Md5 and salt in mysql

Question

Md5 and salt in mysql

how can I "decode" a password stored in various electronic commerce by adding a "salt". I am not an expert crypto ... so, in the past, I used something like:

SELECT * FROM mytable WHERE email=@email AND passwd=MD5(@pwd)

The MySql MD5 function accepts only one parameter ... How can I do if I have a Salt string? Thanks

+6

mysql cryptography

stighy May 05, '11 at 20:31

source share

3 answers

A salt is a line that you add to the beginning of the text to be encrypted.

Do it like this: SELECT * FROM mytable WHERE email=@email AND passwd=MD5(CONCAT(@salt, @pwd))

+3

Dr mckay May 05, '11 at 20:33

source share

This logic should be in the application, then you just compare the calculated value with what is stored in the database.

(If not in the application, you can use functions in MySQL, but I would not recommend this approach. I like to maintain all the application logic in one place, if possible, and not be distributed in different parts.)

If you perform such functions in the WHERE clauses of your query, MySQL will not be able to use the index in passwd because it needs to calculate something for each value in the passwd column. Instead, do your salting and hashing in your application, and then compare this final line with your stored information in a regular query that can use an index like this

 SELECT * FROM mytable WHERE email=@email AND passwd=@pwdhash

+2

Wiseguy May 05, '11 at 20:39

source share

Alan savage · Accepted Answer · 2011-05-05T20:35:36+0000

You need to add a column to mytable called salt, and then get this value when creating the MD5 hash:

 SELECT * FROM mytable WHERE email=@email AND passwd=MD5(salt + ':' +@pwd )

When you insert a record, you will do:

 INSERT INTO mytable(email, salt, passwd) VALUES (@email, @salt, MD5(salt + ':' + @pwd)

Md5 and salt in mysql

More articles: