PHP MD5 with appended salt

Arran Cudbard-Bell a.cudbardb at
Wed Mar 6 19:42:49 CET 2013

> At the moment I am testing with PAP. 

Ok. Because it will only ever work with PAP.

> What do you mean with 'the md5 xlat'. 

xlat are placeholders in strings, usually used for substituting attribute values, for example:

update reply {
	Reply-Message := "Hello %{User-Name}"

The %{User-Name} is an xlat expansion.

The xlat expansion "%{md5:<text>}" expands to an md5 hash of <text>. So you have something like:

if ("%{md5:%{User-Password}:%{Salt}}" == %{<database password>}) {
	update control {
		Auth-Type := 'Access-Accept'

There's also an %{sql:<text>} xlat, which executes the <text> portion as a query and expands to the first column of the first row in the result set.

In the above condition you could use the sql xlat in place of %{Salt} and %{<database password>} to retrieve the bits of info you need to authenticate the user, though it's a little inefficient as you have to query twice.

There are ways to work around the limitations of sql xlat, for example you can CONCAT the values of two columns and then break them apart with a regex and capture groups. See man unlang.


More information about the Freeradius-Users mailing list