concatenate a MD5 string with another

Hello people

I Have a MySQL query that i want to send to a different page. To make it secure before it is sent I am MD5()ing the string. Then sending the data using sessions.

When the second page receives the string i want to add a new string to the end of the MD5() string. Basically to change the where clause

Not sure if MD5 is the best way to encrypt or if there is a better way to move variables other than a session.

PHP Code:

---

//First page.
session_start();

$q = "SELECT Field_1, Field_2 FROM `some_table`";

$_SESSION['query'] = md5($q); 


---

PHP Code:

---

//Second Page
session_start();
$q = $_SESSION['query'];

$query = $q . " WHERE Field_1='123';";
    
    $run = @mysqli_query($dbc, $query);
           //get info from database..... 


---

Any ideas would be very appreciated!

Thanks

Joe:confused:

Not a chance.

You're query would then look something like this:

Code:

---

mysqli_query($dbc,"ce8e8a7847e4d4837d6c8d4d3b8898cc  WHERE Field_1='123';"

---

That makes no sense to a database or anything/body else.

Maybe it would help more if you told us what you were trying to accomplish?
Why cant you build the entire query on a single page?

I'm updating a login script i made in college. I only want to enter the query once (selecting the fields and table).

So I have 1 page for the form, and initial selecting of the user from the DB.
Then a second that i include at the top of each page that checks if the sessions are active and the user is still in the database. Maybe i do not need the query in second page?

Regardless of whether you need to store a query in the session data (I'm not convinced that should be the case), you probably do not need to encrypt it since it stays on the server (only the session ID is sent to the client). If you are concerned that you're on a shared server and someone might be able to view your session data, then you could use your database to store the session data.

Ultimately, if you do need to encrypt your data, you need to use an encryption function rather than a hashing function such as md5().

I have been wondering about how sessions are shown on the client side. So there is no way that a user can access the data stored in a session?

the reason i only want to enter the query once (as a variable) is so I can use the same login script for multiple login areas on the same site. Other wise I will have to duplicate all the login pages just to change one line of query information.

any ides on how this could be better accomplished?

Quote:

---

Originally Posted by kingafrojoe

I have been wondering about how sessions are shown on the client side. So there is no way that a user can access the data stored in a session?

---

No, the session data is never sent to the client, only the session ID cookie is.

Quote:

---

the reason i only want to enter the query once (as a variable) is so I can use the same login script for multiple login areas on the same site. Other wise I will have to duplicate all the login pages just to change one line of query information.

any ides on how this could be better accomplished?

---

Not 100% sure why you want to do that, but it seems to me more like something you would do in a config file that you could then include/require wherever you might need it, either setting that query string as a variable or constant, or defining a function to handle it where you could pass the WHERE clause as a function argument.

Do you just want to keep the user logged in on your site while he/she goes from page to page? You could store that info into either a session variable or a cookie. If you do store passwords, always hash them (in the DB and session var or cookie), either using MD5 or there are others as well with more complex encryption.

If you absolutely need to have the login script displayed in parts on each page, then as NogDog mentioned you could include a template file in each page, with arguments, like:

include 'http://mysite.com/file.php?arg1=1&arg2=2';

Then parse the arguments within the 'file.php' file.

See here Example #3

Always remember to strip out potentially dangerous data from inputs ($_POST and $_GET). Use the mysql_real_escape_string() function to do so.

---
Look up a hash value, convert timestamps or convert numeral bases.
devut.com