Disable md5 now - or you will die

Feb 19, 2009 php security
This post is more than 18 months old. Since technology changes too rapidly, this content may be out of date (but that's not always the case). Please remember to verify any technical or programming information with the current release.

I remember a while ago hearing about a few theoretical collisions of the MD5 algorithm, but I thought nothing of them. Now, as more information emerges, Microsoft is issuing advisories, and people are proving more and more collisions with example code, and even md5 is out of vista, I figure its time to remind everyone not to use MD5.

What should I do?

First of all - let’s use sha1 instead - equally as easy of a function to use - but much more secure.

echo sha1('test');

Output:

a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

Next, disable it in php using disable_functions in your configuration:

php.ini

disable_functions = md5

Finally, don’t accidentally use it in your db ;)

Go to All Posts