Recipe 18.9. Verifying Data with Hashes

18.9.1. Problem

You want to make sure users don't alter data you've sent them in a cookie or form element.

18.9.2. Solution

Along with the data, send an MD5 hash of the data that uses a salt. When you receive the data back, compute the MD5 hash of the received value with the same salt. If they don't match, the user has altered the data.

Here's how to generate an MD5 hash in a hidden form field:

<?php /* Define a salt. */ define('SALT', 'flyingturtle'); $id = 1337; $idcheck = md5(SALT . $id); ?> <input type="hidden" name="id" value="<?php echo $id; ?>" /> <input type="hidden" name="idcheck" value="<?php echo $idcheck; ?>" /> 

Here's how to verify the hidden form field data when it's submitted:

<?php /* Initialize an array for filtered data. */ $clean = array(); /* Define a salt. */ define('SALT', 'flyingturtle'); if (md5(SALT . $_POST['id']) == $_POST['idcheck']) {     $clean['id'] = $_POST['id']; } else {     /* Error */ } ?> 

18.9.3. Discussion

When processing the submitted form data, compute the MD5 hash of the submitted value of $_POST['id'] with the same salt. If it matches $_POST['idcheck'], the value of $_POST['id'] has not been altered by the user. If the values don't match, you know that the value of $_POST['id'] you received is not the same as the one you sent.

To use an MD5 hash with a cookie, add it to the cookie value with implode( ):

<?php /* Define a salt. */ define('SALT', 'flyingturtle'); $name = 'Ellen'; $namecheck = md5(SALT . $name); setcookie('name', implode('|',array($name, $namecheck))); ?> 

Parse the hash from the cookie value with explode( ):

<?php /* Define a salt. */ define('SALT', 'flyingturtle'); list($cookie_value, $cookie_check) = explode('|', $_COOKIE['name'], 2); if (md5(SALT . $cookie_value) == $cookie_hash) {     $clean['name'] = $cookie_value; } else {     /* Error */ } ?> 

Using a data verification hash in a form or cookie obviously depends on the salt used in hash computation. If a malicious user discovers your salt, the hash offers no protection. Besides guarding the salt zealously, changing it frequently is a good idea. For an additional layer of protection, use different salts, choosing the specific salt to use in the hash based on some property of the $id value (10 different words selected by $id%10, for example). That way, the damage is slightly mitigated if one of the words is compromised.

If you have the mhash module installed, you're not limited to MD5 hashes. mhash supports a number of different hash algorithms. For more information about mhash, see the mhash material in the online PHP manual or the mhash home page at

18.9.4. See Also

Recipe 20.9 for an example of using hashes with hidden form variables; documentation on md5( ) at and the mhash extension at

PHP Cookbook, 2nd Edition
PHP Cookbook: Solutions and Examples for PHP Programmers
ISBN: 0596101015
EAN: 2147483647
Year: 2006
Pages: 445

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: