Page 1 of 1

md5 question

Posted: Tue Feb 14, 2006 12:20 pm
by a94060
i found this bit of code in a post

PHP:

Code: Select all

<?php 

$unique_id = md5(uniqid(rand(),1)); 

$token_result = mysql_query("SELECT id FROM table WHERE id='$unique_id'",$db); 

while($num_rows = mysql_num_rows($token_result)){ 
                         
    $unique_id = md5(uniqid(rand(),1));     
                         
}
where the md5 hashing happens,does the the md5 always return the same for a specific word?.

im asking because it looks like this script looks for the $unique_id in the id column.
does this make sense wat im asking?

Posted: Tue Feb 14, 2006 12:26 pm
by shiznatix
the md5() is done right when it is called. That snippet you posted does basically nothing, just generates a new hash of a uniqid() for however many times its found in the db. Yes, md5() will always return the same hash for whatever you run md5 on. like

Code: Select all

//these 2 give the exact same output
echo md5('vanilla');
echo md5('vanilla');

//this is a different output
echo md5('ninja');

Re: md5 question

Posted: Tue Feb 14, 2006 12:32 pm
by a94060
a94060 wrote:i found this bit of code in a post

PHP:

Code: Select all

<?php 

$unique_id = md5(uniqid(rand(),1)); 

$token_result = mysql_query("SELECT id FROM table WHERE id='$unique_id'",$db);
where the md5 hashing happens,does the the md5 always return the same for a specific word?.

im asking because it looks like this script looks for the $unique_id in the id column.
does this make sense wat im asking?
so say i put the entry "foo" into the db and it puts a unique_id of XXX. The next time im trying to find it,will the md5(uniqid(rand())) giv me the id XXX ?


since the rand() is implemented,wont it be a diff number whic hthe chances being 1 in >infinity ?

Posted: Tue Feb 14, 2006 12:45 pm
by RobertGonzalez
The PHP Manual - uniqid wrote: uniqid() returns a prefixed unique identifier based on the current time in microseconds. prefix is optional but can be useful, for instance, if you generate identifiers simultaneously on several hosts that might happen to generate the identifier at the same microsecond. Up until PHP 4.3.1, prefix could only be a maximum of 114 characters long.
If you use md5(uniqid(rand(),1)) you will get a different result everytime. This series of functions can generally be used to generate a session id if you are using your own session development script instead of using PHP's session vars. Howeverm everytime you call that function setup you are going to get a different result.

To answer your question on 'foo'. If you take 'foo' and run it through md5() you will get 'acbd18db4cc2f85cedef654fccc4a4d8' everytime you run it.

Posted: Tue Feb 14, 2006 3:12 pm
by a94060
so,i should jus use that? ill jus use

Code: Select all

md5($_POST['hash_this'])
thats all ill use to encrypt it. it will help relitavly rite?

Posted: Tue Feb 14, 2006 3:42 pm
by LiveFree
For me and the Dev team of PHPNuke Evolution...

We use md5(md5($input))

Posted: Tue Feb 14, 2006 3:46 pm
by feyd
Tucker wrote:We use md5(md5($input))
I do hope you're joking Tucker. A doubling of any hashing (including mixed) results in less entropy. Less entropy equals less secure.

All I'd have to do to break the security is figure out a VERY uniform expression.

Posted: Tue Feb 14, 2006 6:25 pm
by RobertGonzalez
Like Feyd said, stay away from md5(md5('somestring')). You can use md5 to hash a value, but don't consider it encryption. There has been considerable discussion on encryption techniques, hashing mechanisms and security. You should search these forums for encryption, md5, sha1 and sha256. All these functions offer a data hash moreso than encryption.

The typical use for these mechanisms is hashing a value to match against a hash value in the database. But before you get too far into this, you should really look into the various techniques used to hash data.

Posted: Tue Feb 14, 2006 7:28 pm
by feyd
and remember SHA256 > SHA1 > MD5 :)