[thelist] Md5 hashing
Simon Willison
cs1spw at bath.ac.uk
Mon Nov 24 15:07:15 CST 2003
Guy Bowden wrote:
> What I'm thinking is that if I send the user an MD5 hash of their email
> address for example - is that sufficient security wise (obviously the client
> doesn't want anyone to cheat).
>
> Is it the case that unless the user knows what I've hashed and how I've
> hashed it I'm secure? (dissregarding any server security issues).
If the user guesses, you're in trouble. However, there is a simple
technique for creating secure hashes of this type. Have a "secret key"
which only the server knows. Then do this:
$secret_key = 'asdo23ulask';
$user_email = 'user at example.com';
$thing_to_send_to_user = md5($secret_key.$user_email);
When the user hits your site with the thing they were sent and their
email address, glue the email address and the secret key together again,
MD5 the result and check it against the data from the user. There is no
way for the user to generate their own keys without knowing your secret.
All that said, in your case I don't see why you need to hash anything.
When the user does whatever task you have asked them to do, generate a
completely random string and send it to them, then store a copy of it in
the database (along with their email address and any other pertinant
details). When they "use" their voucher, remove it from the database. No
need to hash anything, you just rely on the security of your database
and the random-ness of the algorithm you used to generate their voucher.
--
Simon Willison
Web development weblog: http://simon.incutio.com/
More information about the thelist
mailing list