mysql_real_escape_string() Still Needed With md5()?

I am just going through some code and making sure that all user i开发者_StackOverflow社区nput is rune through mysql_real_escape_string() to prevent sql injections. For password input that are run through PHP's md5() function, is mysql_real_escape_string(0 still needed? It would seem that the encoding process would get rid of potential injection attacks.

Actually, yes and no.

You only need to use mysql_real_escape_string() if you set the 2nd parameter of md5() to true -- which produces a RAW md5 hash.

Otherwise, the only data coming back from something like md5($password) will be a string hash that matches this regexp /[a-z0-9]{32}/i -- which does not need to be escaped.

These guys explain why and how they exploited raw md5 hashes:

http://cvk.posterous.com/sql-injection-with-raw-md5-hashes

1. MD5 is not sufficient for password security -- MD5 is an old algorithm which is easily hacked; if you're using MD5 for hashing passwords, you may as well not be using anything at all. Current best-practice recommendation is to use the bcrypt algorithm.

2. mysql_real_escape_string() along with the rest of the mysql_xxx() functions is now deprecated. They are considered obsolete and insecure, and have not been recommended for use for some time now. The forthcoming PHP v5.5 will formally deprecate them, but you should try to stop using them even if you aren't planning to upgrade to 5.5 yet. See Why shouldn't I use mysql_* functions in PHP? for more info on this.

As I said, MD5 is not secure, and nor are most solutions that people write for themselves. The best solution to hashing passwords is to use a good quality library to do the work for you. PHP 5.5 will include a set of specially written password handling functions, which will make the whole thing much easier to keep secure. There is also a version of this library which has been back-ported to work in PHP 5.3 or 5.4. You can download this backport version from here: https://github.com/ircmaxell/password_compat

At this moment in time, this represents probably the single best solution to password storage available in PHP. I strongly recommend you to use it.