MD5ing words from file - 【StackMirror】|php|md5

What I am trying to do is,

Open the word file, read a line, convert it to md5, write to db if its not already there(both word and encrypted string)

For some reason, it doesnt work.

$file = fopen("list.txt", "r");

while (!feof($file))
{
$word = fgets($file);
$word = mysql_real_escape_string($word); // to prevent injections
$md5string = md5($word);

//check if in DB

$check = mysql_query("SELECT id FROM table WHERE word='$word'") or die(mysql_error
    ());
if (mysql_num_rows($check) > 0)
{
} //Nothing to do.
else
{
    $write = mysql_query("INSERT INTO table (word, md5string) VALUES ('$word','$md5string')") or
        die(mysql_error());
}
}

It is making the hashes and storing everything write, but the hashes thats made arent right.

Any idea whats wrong in my code?

Fix : I mysql_real_escaped the string before hashing and that was where I was wrong.

$word = trim(fgets($file));
$md5string = md5($word);
$word = mysql_real_escape_string($word); // to prevent injections`

ADD : I just corrected my script using the suggestions I got from here and found out that

Md5ecnrypter.com is doing it wrong.

They are escaping the string before hashing. How lame. Just checked other sites to see SO suggestions were right.

2012-04-04 17:41
by Kishor

You should not call mysql_real_escape_string before hashing the word. Also, it could be that the new line character is included when reading from the file - knittl 2012-04-04 17:44

Try change the order of lines

$word = trim(fgets($file));
$md5string = md5($word);
$word = mysql_real_escape_string($word); // to prevent injections

2012-04-04 17:45
by Seagull

the trim there is to remove the new line \n?

Thanks mate - Kishor 2012-04-04 17:47

trim() removes spaces and breaks before and after the content, like " hello " would return "hello" - Dion 2012-04-04 17:54

In this case it will remove \ - Seagull 2012-04-04 18:17

Just taking a stab at this, but the MD5 you are taking is the MD5 of the file after it has been potentially modified by the mysql_real_escape_string() call.

2012-04-04 17:43
by thedaver64

I see, but I did code a few lines to encrypt it from a webform, and it is working fine.The code below works just fine as I checked it from other encrypters. I face this problem when I do this from a file.

$word = $_POST['word']; $word = mysql_real_escape_string($word); $output = md5($word);Kishor 2012-04-04 17:45

yes, because you are taking the MD5 of the file data after it has been potentially modified by mysqlrealescape string, try re-arranging your code as suggested by myself and the other posters - thedaver64 2012-04-04 17:49

Maybe use md5() before mysql_real_escape_string()

2012-04-04 17:45
by Dion

Um,

Personally I would look for the hash instead, so:

SELECT * FROM table WHERE md5word=$hashed_word

I'd also use trim before md5-ing the word, you don't really need to mysql_real_escape_string() after md5, as md5 turns the data into a hexadecimal number, so, it would be better to do it before, if at all.

2012-04-04 18:03
by Azirius

I am saving both word and hash to the db. Word needs to be mysqlrealescape_string() else it would be really vulnerable - Kishor 2012-04-04 18:10

Well, yeah, I understand that, however, you don't need to escape data that's been hashed by md5 as it has turned the word to a hexadecimal number - Azirius 2012-04-04 18:12

I am escaping the input word which needs to be escaped because it is being used in an SQL query.

Kindly dont misguide - Kishor 2012-04-04 18:14

Quite clearly not misguiding. I 100% agree with you escaping your data, however, I merely stated that data passed through the md5() function doesn't need escaping as and and all data has been modified into a hexadecimal number. I'd never suggest not escaping data if it needed it - Azirius 2012-04-04 18:37