Same password but different md5 hash

Question

When I pass the clear password to check the login of the user and apply a md5() on the string, the md5 hash is equal to the md5 hash stored in the MySQL database (Login succeed).

But I don't want to transfert the user password in clear inside my POST function, so I decided to use cryptoJS to only send the key and then decrypt the password on the PHP server side.

The problem is, when I'm using the decrypted password, the md5 is different. This is weird because the clear password string is the same than the decrypted password, and the md5 hash is different.

By doing:

 var_dump($clearPassword); //Hello.
 var_dump($decryptedPassword); //Hello.

But:

 var_dump(md5($clearPassword)); //3ea484671d7b00a1df4734ded1aa379c1.
 var_dump(md5($decryptedPassword)); //470a1ad08cbdebe075214591ea20fec9.

As you can see, it's exactly the same string but the md5 hash is different, I've noticed that var_dump() give as an output:

 string(16) for the $clearPassword;
 string(32) for the $decryptPassword;

I tried to change the string encoding but there's no luck. Anyone can explain me why md5() behave like that with those same passwords string? thanks again.

Answer 1

the decrypted password IS NOT the same as the original. Check the length of the two strings, check the encoding, do a byte to byte comparison. "Hello\\0" and "Hello \\0" seems identical but they are not. Even "Hello\\0" and "Hello\\0\\0\\0" are not the same. Maybe the decryption algorithm gives a string length of 32 bytes.

Answer 2

我可能会像@fpierrat所说的那样做，只是在客户端加密并在PHP服务器中直接比较md5哈希。