[thelist] Md5 hashing

[Simon Willison]

Guy Bowden wrote:
> What I'm thinking is that if I send the user an MD5 hash of their email
> address for example - is that sufficient security wise (obviously the client
> doesn't want anyone to cheat).
> 
> Is it the case that unless the user knows what I've hashed and how I've
> hashed it I'm secure? (dissregarding any server security issues).

If the user guesses, you're in trouble. However, there is a simple 
technique for creating secure hashes of this type. Have a "secret key" 
which only the server knows. Then do this:

$secret_key = 'asdo23ulask';
$user_email = 'user at example.com';

$thing_to_send_to_user = md5($secret_key.$user_email);

When the user hits your site with the thing they were sent and their 
email address, glue the email address and the secret key together again, 
MD5 the result and check it against the data from the user. There is no 
way for the user to generate their own keys without knowing your secret.

All that said, in your case I don't see why you need to hash anything. 
When the user does whatever task you have asked them to do, generate a 
completely random string and send it to them, then store a copy of it in 
the database (along with their email address and any other pertinant 
details). When they "use" their voucher, remove it from the database. No 
need to hash anything, you just rely on the security of your database 
and the random-ness of the algorithm you used to generate their voucher.

-- 
Simon Willison
Web development weblog: http://simon.incutio.com/