Checksumming Strings

Using crypt() with strings is similar to creating a checksum of something: It can be easily determined whether a string matches the checksum; however, it is not (easily) possible to re-create the original string from the checksum.


Checking Logins Using SHA1 and MD5 Hashes

  $pass = (isset($_GET['pass'])) ? $_GET['pass'] :
  $md5pass = '6958b43cb096e036f872d65d6a4dc01b';
  $sha1pass = '61c2feed11e0e53eb8e295ab8da78150be12
  if (sha1($pass) === $sha1pass) {
    echo 'Login successful.';
  } else {
    echo 'Login failed.';
// Alternatively, using MD5:
//  if (md5($pass) === $md5pass) {
//    echo 'Login successful.';
//  } else {
//    echo 'Login failed.';
//  }

Two algorithms whose purpose is to do exactly this checksumming are Secure Hash Algorithm 1 (SHA1) and Message Digest Algorithm 5 (MD5). They create such a checksum, or hash. The main difference between these two algorithms and the one used in DES/crypt() is: The SHA1 or MD5 checksum of a string is always the same, so it is very easy to verify data. As figure shows, even the PHP distributions have a MD5 checksum mentioned on the website to validate the downloads.

The PHP downloads page shows MD5 hashes of the PHP distributions.

Again, the goal is to validate a password the user provides using GET. The correct password is, once again, 'TopSecret' with the following hashes:

  • 6958b43cb096e036f872d65d6a4dc01b is the MD5 hash

  • 61c2feed11e0e53eb8e295ab8da78150be12f301 is the SHA1 hash

When calculating the MD5 or SHA1 hash of a file, no call to file_get_contents() or other file functions is required; PHP offers two functions that calculate the hashes of a file (and takes care of opening and reading in the file data):

  • md5_file()

  • sha1_file()