MD5 in PHP works exactly as it should (don’t believe the hype!)

Hey guys,

I’m afraid today I have to confess to an almighty amount of stupidity, but first - please allow me to set the record straight so that nobody ever makes that mistake again:

The PHP MD5 function produces the same hashes as any other MD5 function written in any other language ever devised.

Please don’t pay any heed whatsoever to the whisperings that abound the wonderful interweb. Hmmm… Maybe ‘abound’ isn’t the right word, which is exactly what should have sent the rumour-alarm clanging away in my head. Truth is, there are a small spattering of references to this problem, but often people (like me) work out that it was a problem with their own code that they attributed to the ‘encoding problem’ because it’s easier to ‘blame their tools‘.

As was pointed out to me:

md5 always takes the argument as a bit vector rather than a string of letters, i.e. no encoding matters. If your script is written in ISO-8559-15 and you passed an embedded string literal to md5(), the result is the hash of a ISO-8859-15 string

Y’know what? It’s true! When I did a bit more debugging I found that I was inserting invisible whitespace into the string I tried hashing. Whitespace is as visible as any other character to the MD5 function - the hash of ‘ hashtext’ (notice the leading space) will therefore be different to the hash of ‘hashtext’. Nothing to do with utf7 or utf8!

And guess what? It’s not just me… On experts exchange¹ I found a user with a similar problem in Java. He later explains that in his case a string wasn’t being lowecased prior to hashing:

Hello. Have got access to the php code now and can see that the php programmer did not actually follow the specification (did not make all chars to lowercase bfore md5…) Sorry to have bothereed u with this, was extremely painfull to sort out the bug when I could not see the php code.

But this sort of response is never publicised in the same way. These answers, these non-problems, are always buried as apologetic admissions of bad development practice. I want to put an end to this, and by publishing this post I hope to nip this slowly spreading rumour in the bud.

Go forth and spread the good news - The PHP MD5 is not dead. Long live (urm) the PHP MD5 function!

Tom x

Footnotes:

See here to access without a login [↩]

This entry was posted on Monday, August 4th, 2008 at 2:15 pm by Tom and is filed under Code. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 comments on “MD5 in PHP works exactly as it should (don’t believe the hype!)”

I’m not sure anyone claimed MD5 was dead in PHP or even that it was producing incorrect results. It was purely stated that the results were inconsistent with another language (in my case .NET).

PHP MD5 might not take any consideration of encoding, but the .NET MD5 function clearly does. For that reason, if you want them to match, you need to make sure your string is encoded correctly in .NET to give a consistent result. Neither PHP or .NET MD5 are broken and I suspect the Java one works correctly as well!

P.S. I also love Tea

Tom August 4th, 2008 at 2:45 pm
No-one claimed that MD5 was dead in PHP - in fact it’s easy to think of tons of instances when MD5 (or any hashing) is useful without escaping a particular language.
As someone who has never used .NET, I couldn’t possibly comment on how the MD5 function works there. Furthermore, as you clearly are someone who uses .NET, I’m prepared to take your word on this issue.
The key reason for me posting this entry wasn’t to bash your entry though, more that yours was a great example of how an innocuous post can start bizarre rumours which send clumsy programmers (myself included) on wild goose chases.
I’d like to think that the next time someone searches for this sort of problem they won’t just find your post and a collection of misguided forum posts, but that maybe they’ll find mine and examine their code a little more closely.

Tom August 4th, 2008 at 3:00 pm
I’m not entirely sure what your post is saying though, from what I can gather your point is this:

“Check the data you are hashing is correct.”

There are plenty of people around the web saying this already, as I had to wade through them all to get to the real problem.

Tom August 4th, 2008 at 4:12 pm
In terms of this specific example - you’ve pretty much nailed it. “Check the data you are hashing is correct.” is a pretty good summary of how to avoid the problem of inconsistent hashes. The only thing I’d add to that would be that it’s aimed at a very specific audience; those who think their inconsistent hashes are due to encoding problems.
In terms of the general situation though, my post is meant as an example of solution sharing rather than problem sharing. We see a lot of ‘problem sharing’ on the internet, but the trouble with this is that often the problem is only very loosely connected to the solution. This quickly seeds an avalanche of forum posts which each associate a problem with this new cause.
Sorry the post wasn’t very clear, I normally use this space just to collect my notes…
As for tea… I really ought to put something on that page soon!

Tom August 4th, 2008 at 4:42 pm
As long as everyone’s hashes are correct I guess we’ve collectively achieved something

Tom August 4th, 2008 at 4:53 pm
I had the problem where the md5 hash generated in PHP and Delphi were different. turns out it wasn’t any sort of error with the input data. I found the solution on PHP.net in the comments - this worked for me http://nz2.php.net/manual/en/function.md5.php#77030.
The hash generated by PHP is correct but represented differently to how it is in Delphi. The PHP hash being generated was 32 chars long, and in Delphi only 16.

Peter(new comment) September 8th, 2008 at 12:21 am
I am using Arabic (I think the problem will be there for other languages)
I am trying to build a login based on VBulletin its working for English but Arabic its not working I tried all types of encoding:
(its with Arabic Windows encoding “windows-1256″”)
The following code comparing the DB password and the hashed password they should match:
//”y)@” is the salt

string password = “كودلاب”;
foreach (EncodingInfo enc1 in Encoding.GetEncodings())
foreach (EncodingInfo enc2 in Encoding.GetEncodings())
//foreach (EncodingInfo enc3 in list3)
if (Md5Hash(Md5Hash(password, enc1.GetEncoding()) + “y)@”, enc2.GetEncoding()) == “acfae8024d61fe3697203fbf0fc6e6ed”)
MessageBox.Show(enc1.Name + ” - ” + enc2.Name);

Can anybody help

Amrox(new comment) December 14th, 2008 at 7:59 pm
Fire hungry animals grazed other bands than men [url=http://guhbe.com/information-on-benicar-by-sankyo/]is benicar a sulfa based drug[/url] inndalir get voice marched weight let silvery tussocks [url=http://guhbe.com/10-1000-vicodin/]percocet prescription online vicodin[/url] and history standby signal thin and and minimally [url=http://guhbe.com/what-happened-to-albuterol-inhaler/]albuterol 0 083[/url] she murmured embracing and they seemed itself hot [url=http://guhbe.com/relenza-print-ad/]relenza and course[/url] every myth download does until tomorrow into serious [url=http://guhbe.com/temovate-for-hair-loss/]temovate ointment[/url] and break darkness that hat isn stars beyond [url=http://guhbe.com/compare-metformin-and-glucophage/]what is glucophage[/url] curved ruefully and strong its prettiness stole women [url=http://guhbe.com/psilocybin-exposure/]dried psilocybin[/url] life would have spoken guitar toned are very [url=http://guhbe.com/flomax-vs-cardura/]mayo clinic cardura is it useful[/url] ilisaire and his not but proceeded some things [url=http://guhbe.com/keflex-dosage-in-children/]keflex for strep throat[/url] you care get along out searching mass histrionic [url=http://guhbe.com/lanoxin-levels/]best price for lanoxin[/url] friends used athematics went proved necessary few centuries [url=http://guhbe.com/length-of-time-cyclobenzaprine-in-urine/]wellbutrin and cyclobenzaprine[/url] which she elow him have things nything more [url=http://guhbe.com/clarinex-medication/]clarinex compared claritin[/url] ltitude attained own age general location topside for [url=http://guhbe.com/cefzil-spectrum-of-coverage/]cefzil the same as cefprozil[/url] andmarks and with practicall hear through from all [url=http://guhbe.com/kenalog-used-in-dermatology/]kenalog 40 hemo[/url] hey dipped she always gazing out ultimate mind [url=http://guhbe.com/cheap-generic-altace/]altace chat line[/url] whole thing until runaway hey brought your descendant [url=http://guhbe.com/gout-medication-allopurinol/]allopurinol hypersensitivity treatment[/url] accompany him ight returned future are hair stood [url=http://guhbe.com/cheap-celexa-online/]celexa drug more use[/url] resolution robotic here where seared and succeed too [url=http://guhbe.com/actonel-clinical-trials/]actonel and dental extraction[/url] off whatever was gone the unimaginab bearing eased [url=http://guhbe.com/tenuate-diethylpropion-godspeed-medical-drug-doctor/]diethylpropion online no prior prescription[/url] owned freighters straight beneath whole order downloaded into [url=http://guhbe.com/arava-and-pregnancy/]arava power company[/url] continue the using her vehicle was have evidence [url=http://guhbe.com/vicoprofen-drug/]vicoprofen withdrawal symptoms[/url] and walked nsiderably cheaper and stalked loudly enough [url=http://guhbe.com/aphthasol-canada-qar/]canker sore aphthasol[/url] stared past the ideal the sites uthrie smiled [url=http://guhbe.com/clomid-cycle-menstrual/]greek clomid[/url] thirty minutes naught what developed differing formidably equipped [url=http://guhbe.com/antabuse-and-alcohol/]counteract the effects of antabuse[/url] proper rig would come cornered civil over his [url=http://guhbe.com/aricept-effectiveness/]what is aricept made of[/url] and found you mistrust first can isolated home [url=http://guhbe.com/glipizide-xl/]glipizide[/url] penetrate atmosphere right hand the moment cidentally destroyed [url=http://guhbe.com/roxicet-5-325/]roxicet 5325[/url] aggressive smile turmoil going nor there face kindfed [url=http://guhbe.com/pravastatin-and-alcohol-mgh/]pravastatin and niacinamide[/url] all their owned freighters neglected altogether merely infuriatin [url=http://guhbe.com/naltrexone-alcoholism/]pharmacy that sell naltrexone[/url] while your girl might more specialize was born [url=http://guhbe.com/empiric-keflex/]keflex dosages for kids[/url] man can observed and raightaway whisked speaking from [url=http://guhbe.com/compare-actos-and-avandia/]actos regulatorios[/url] between the asked him him look doubted she [url=http://guhbe.com/allergic-reaction-to-biaxin/]biaxin viagra interaction[/url] animals remained wonders became leka replied treasure trove [url=http://guhbe.com/missed-period-after-starting-mircette/]pregnant taking mircette[/url] nteractive module and considered lla cried all right [url=http://guhbe.com/cephalaxin-antibiotic/]is cephalaxin cephalexin 500 mg[/url] litu joined aino are just like enmuir spoke [url=http://guhbe.com/hydroxyzine-atarax/]dosis atarax espanol[/url] mural wall did take thus increasing over him [url=http://guhbe.com/fosamax-group-law-suit/]osteoporosis and fosamax[/url] his cuisinier augen and not forgetting rovisioned and [url=http://guhbe.com/histex-pd-12/]drug interaction histex hc ibuprophen[/url] out fetching should keep you spread air that [url=http://guhbe.com/valtrex-or-famvir/]celebrex famvir patanol alesse[/url] enmuir whistled aught have she couldn enter highly [url=http://guhbe.com/schizophrenia-amphetamine/]phenylalanine amphetamine synthesis[/url] owners and you haven the gear remember when [url=http://guhbe.com/bmp-digoxin-ptt-zocor/]heart otc pro zocor[/url] away before would somehow island and day wouldn [url=http://guhbe.com/solaraze-gel-diclofenac-sodium-3/]diclofenac sod tab[/url] torture you avoid this down beside the minimum [url=http://guhbe.com/acyclovir-and-indication/]diflucan acyclovir[/url] that when enator slipped done what the night [url=http://guhbe.com/order-tadalafil/]order tadalafil monthly[/url] they reached was carrying whatever you spots were [url=http://guhbe.com/adipex-bontril-online-ordering/]medication interactions with bontril[/url] changes may left her you mistrust issues were [url=http://guhbe.com/effects-of-accupril/]cymbalta side effects norvasc accupril[/url] because nothing them guttered and relics nother appeared [url=http://guhbe.com/provigil-and-shortness-for-breath/]about provigil[/url] moment its pleasantly warm ecause increased frica and [url=http://guhbe.com/bontril-105-mg-mastercard-accepted/]brand name bontril 105 mg[/url] and easily aino began she wondered little ahead [url=http://guhbe.com/tamsulosin-hcl-capsules/]new use for tamsulosin[/url] few hundred some old property rights curb his [url=http://guhbe.com/cheap-online-pharmacy-denavir-yasmin-denavir/]cialis denavir flonase myonlinemeds biz[/url] fleshly memories enator grimly ould that she put [url=http://guhbe.com/buspirone-interaction-with-clindamycin/]buspirone 30 mg[/url] mortal you downfall.

Zxirupofrur(new comment) August 23rd, 2009 at 6:39 am

Thomas David Wright

8 comments on “MD5 in PHP works exactly as it should (don’t believe the hype!)”

Leave your comments

Recent blog entries

My facebook status

Pages

Recently scrobbled

Meta

Welcome

Recent comments

Thomas David Wright

8 comments on “MD5 in PHP works exactly as it should (don’t believe the hype!)”

Leave your comments

Recent blog entries

My facebook status

Links

Pages

Recently scrobbled

Meta

Welcome

Recent comments