 |
|
 |
 |
One of the many ways of hashing data using PHP is a function called md5(). md5()
converts a string of text into a 32-character hash, using a secret algorithm,
thus protecting the original source information. md5() hashed strings cannot be
dehashed either, which presents us with the novel problem of working out if two
md5-hashed strings are equal. The answer is actually quite simple. Take a login
system - instead of dehashing the string and comparing it to a regular password,
you take the hashed string and compare it to a string that has already been
hashed! Sounds simple doesn't it?
A Simple MD5-Hashing Script
So, let’s write ourselves a little test script:
<?php
$string = “string to be encrypted”;
$encstring = md5($string);
echo $encstring;
?> |
This will produce a 32-character jumble of letters and numbers, which will not
resemble the original input string in the slightest. In this case, the output
would be "fc8de8ee2c43a9ae2f9023f205d960d6".
To use md5, simple enclose the string in md5( x ); by replacing the x
demonstrated with your string name variable. E.g. md5($stringname);. Yes, it’s
that simple!
You can use this method to protect admin areas and member only pages, but it has
limited reliability, so I do not recommend using this function to protect
administration areas for big businesses or important websites. It is, however,
more than sufficient for small businesses and for personal use.
The md5 hashing algorithm is a non-reversible hash, although recently there has
been much activity in building scripts that have this functionality. There are
numerous accomplishments from people who have achieved this so far, although the
de-hashing of an md5 hash takes an incredibly powerful computer and a lot of
time (I ran a PHP script to do a 5 character password hashed into an md5 hash
and it crashed my PC).
A Log-in Password Verifier (using MD5)
Let’s write a quick login script to demonstrate my point. Assume in the
example below that you have a form, which uses POST and points to login.php,
with a field called username and a password field called password.
<?php
// login.php written by Robbie Averill for BioRUST
$username = $_POST['username'];
$password = $_POST['password'];
$encpassword = md5($password);
$checkpw = "fc8de8ee2c43a9ae2f9023f205d960d6";
if($encpassword === $checkpw){
echo 'User logged in successfully! Welcome '.$username.'!';
} else {
echo 'Password was wrong!';
}
?> |
In this instance, the hashed value checks whether the posted password is equal
(in this case the password would be “string to be hashed”). I hope this basic
tutorial on md5() hashing has helped you! Good luck!
For more information on the md5() function visit the following link:
http://www.php.net/md5
For a more indepth look at hashing algorithms and procedures with PHP, check out
the section of my Text & Number Functions tutorial on
Mhash Library.
- Tutorial written by Scrowler
| |  | |  | | Last 5 User Comments | | |
|
|
This tutorial has now been updated as per Scrowler's request to include clarified definitions and extra links/paragraphs. Enjoy! :) |
Reply to this post |
|
|
the tutorial was written a while ago, since then i have become aware of these errors namely in that md5 is a hashing algorithm. this may be updated in the future, although the term "encryption" is more user friendly than "hashing" to the beginner - at which it was targetted. |
Reply to this post |
User: U'ziel (#18496)
Date: Mon Sep 19, 2005. 16:38:30 | Post #2 of 4 |
|
Quote from lilygrace:
kuddos to this tutorial... it works for my project. Thanks for this tutorial |
MD5 is a hashing algorithm not an encryption method this tutorial is titled incorrectly ;P
There is no way to to reverse the MD5 process in PHP but your site may still not be as secure as you would think. Even though a cracker or someone trying to gain access to your site would not be able to read the passwords stored in your db in plain text he/she could write a simple program to 'brute force' your MD5 hashed passwords.
Say the cracker had a word list of 70,000 words, he/she would be able to write a loop to go through each word/number combo, transfer them into MD5, if one of the combos matched what was in your database he/she would be able to gain access.
To counter this you add 'salt' to your MD5 passwords before using the md5 function on them, the randomer the better. I hit keys like... kjakas73672 would be my salt, then when they came to log in, i would md5 what they had typed in the password box with the salt and if it matched what was in the database... great! This makes brute forcing almost imposible & your passwords even more secure! |
Reply to this post |
|
|
kuddos to this tutorial... it works for my project. Thanks for this tutorial |
Reply to this post |
--- View Entire Thread --- |
|
|
|
|
|
|
Forum Threads
|
|
|
 Deactivate Account
Author: jerinian
Posted: Oct 02nd, 11:16am
Activity: 1 replies, 884 views
|  |  changes....
Author: supertackyman
Posted: Sep 12th, 2:56am
Activity: 2 replies, 1048 views
| |
| | |
