Does MD5 work cross-platform?

I'm trying to store user passwords in a MySQL database. I learned the
hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
cross-platform, but if I encrypt on the server side with PHP's md5
function, will it work cross-platform (or cross-processor?)

Thank you for any advice

Acrobatic wrote:
> I'm trying to store user passwords in a MySQL database. I learned the
> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> cross-platform, but if I encrypt on the server side with PHP's md5
> function, will it work cross-platform (or cross-processor?)
>
> Thank you for any advice

It should be cross platform, as far as I know.

On Fri, 23 Nov 2007 16:47:23 +0100, Acrobatic <jbnunn@gmail.com> wrote:

> I'm trying to store user passwords in a MySQL database. I learned the
> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> cross-platform, but if I encrypt on the server side with PHP's md5
> function, will it work cross-platform (or cross-processor?)

md5 should even be cross-language/script. A Perl md5 = a PHP md5 = aMySQL
md5 = a JAVA md5.

You can't decrypt/decode it though (well, at least not practically).
--
Rik Wasmus

Rik Wasmus emailed this:
> On Fri, 23 Nov 2007 16:47:23 +0100, Acrobatic <jbnunn@gmail.com> wrote:
>
>> I'm trying to store user passwords in a MySQL database. I learned the
>> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
>> cross-platform, but if I encrypt on the server side with PHP's md5
>> function, will it work cross-platform (or cross-processor?)
>
> md5 should even be cross-language/script. A Perl md5 = a PHP md5 = a
> MySQL md5 = a JAVA md5.

Yes. MD5 is a standard hash function, unless all software implementations
of MD5 provide exactly the same result, its use is pretty much pointless.
The only reason why one version of MD5 could give a different result from
another is if one of them has not implemented the algorithm correctly, in
which case it is not an implementation of MD5 at all but is a flawed
variation of it.

More Info.:
http://en.wikipedia.org/wiki/Md5

On Nov 23, 8:47 am, Acrobatic <jbn...@gmail.com> wrote:
> I'm trying to store user passwords in a MySQL database. I learned the
> hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> cross-platform, but if I encrypt on the server side with PHP's md5
> function, will it work cross-platform (or cross-processor?)
>
> Thank you for any advice

Not exactly your question, but an often useful tidbit none-the-less:

On a linux server, if you want to generate an md5hash
from the command line, that would duplicate what would also
be generated from php, you have to remember to echo -n
(print to the console without a newline at the end of your string).
I do this, for instance, when manually adding new users into
an authentication database.

`echo -n obama` produces the same hash as md5("obama") in php.

`echo obama` does not......

On Nov 23, 11:47 am, salmobytes <Sandy.Pittendr...@gmail.com> wrote:
> On Nov 23, 8:47 am, Acrobatic <jbn...@gmail.com> wrote:
>
> > I'm trying to store user passwords in a MySQL database. I learned the
> > hard way that using MySQL "DECODE" and "ENCODE" doesn't seem to work
> > cross-platform, but if I encrypt on the server side with PHP's md5
> > function, will it work cross-platform (or cross-processor?)
>
> > Thank you for any advice
>
> Not exactly your question, but an often useful tidbit none-the-less:
>
> On a linux server, if you want to generate an md5hash
> from the command line, that would duplicate what would also
> be generated from php, you have to remember to echo -n
> (print to the console without a newline at the end of your string).
> I do this, for instance, when manually adding new users into
> an authentication database.
>
> `echo -n obama` produces the same hash as md5("obama") in php.
>
> `echo obama` does not......

echo -n obama | md5sum that is

Matthew wrote:

> Yes. MD5 is a standard hash function, unless all software implementations
> of MD5 provide exactly the same result, its use is pretty much pointless.
> The only reason why one version of MD5 could give a different result from
> another is if one of them has not implemented the algorithm correctly, in
> which case it is not an implementation of MD5 at all but is a flawed
> variation of it.

Well, in a language that uses null-terminated strings, a case could be
made for or against including the null in the hash's input string. This
could lead to two possible results for one input.

Also, although it's customary to hex-encode the output of an MD5 hash (as
PHP's md5() function does), it could be shown in decimal, octal or some
other base, in which case, although the result would be the same, it would
*look* very different, and a simple string comparison would class them as
different. Also even with hex-encoded MD5s, you need to make sure that the
comparison is case-insensitive.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 6 min.]

It'll be in the Last Place You Look
http://tobyinkster.co.uk/blog/2007/11/21/no2id/

Rik Wasmus wrote:

> You can't decrypt/decode it though (well, at least not practically).

Well, you can't at all, because for any given MD5 hash, there are infinite
possible inputs which could have generated it. So even if you manage to
find an input which produces that value as its output (which is more or
less an enormous brute-force search), you can't be sure that it's the same
as the original input.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 9 min.]

It'll be in the Last Place You Look
http://tobyinkster.co.uk/blog/2007/11/21/no2id/

Toby, I think you are mistaken.
In theory, every md5 hash is unique. An md5 hash is bound to a single
unique input. If a brute-force matches a has, THAT is the original
input.

Regards,
Kailash Nadh
http://kailashnadh.name

On Nov 23, 7:13 pm, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
> Rik Wasmus wrote:
> > You can't decrypt/decode it though (well, at least not practically).
>
> Well, you can't at all, because for any given MD5 hash, there are infinite
> possible inputs which could have generated it. So even if you manage to
> find an input which produces that value as its output (which is more or
> less an enormous brute-force search), you can't be sure that it's the same
> as the original input.
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 1 day, 9 min.]
>
> It'll be in the Last Place You Look
> http://tobyinkster.co.uk/blog/2007/11/21/no2id/

On Mon, 26 Nov 2007 04:22:41 +0100, Kailash Nadh <kailash.nadh@gmail.com>
wrote:
> On Nov 23, 7:13 pm, Toby A Inkster <usenet200...@tobyinkster.co.uk>
> wrote:
>> Rik Wasmus wrote:
>> > You can't decrypt/decode it though (well, at least not practically).
>>
>> Well, you can't at all, because for any given MD5 hash, there are
>> infinite
>> possible inputs which could have generated it. So even if you manage to
>> find an input which produces that value as its output (which is more or
>> less an enormous brute-force search), you can't be sure that it's the
>> same
>> as the original input.

> Toby, I think you are mistaken.
> In theory, every md5 hash is unique. An md5 hash is bound to a single
> unique input. If a brute-force matches a has, THAT is the original
> input.

No, Toby is right: different input can generate the same output (if not,
we would have found a great ZIP functionality, didn't we? If we can md5 a
file, and every md5 is unique yet limited to a certain length, you could
put all books into one file, and md5 it. If a md5 is unique, it is
reversable.). Brute force cracking involves guessing at original input
length & propability of input. It can be done (with 'propabilities of
input', it's not something hackers would like to spend their CPU cycles on
though.
--
Rik Wasmus