ID: 45650 User updated by: tom at tdwright dot co dot uk Reported By: tom at tdwright dot co dot uk Status: Bogus Bug Type: Feature/Change Request Operating System: Linux + Windows PHP Version: 5.2.6 New Comment:
Naturally... OK, so part of the lock/key string I was hashing was from a static file read with fopen. Unbeknown to me, the string that was read contained trailing whitespace which affected the hash. Bit of a d'oh moment when I reversed the lock+key to key+lock and saw a space in the middle. Easily rectified by changing my source to: $mangle = str_replace(array("\n", "\r", "\t", " ", "\o", "\xOB"), '', $key . $lock); $hash1 = md5($mangle); That array of whitespace is probably a bit OTT, but I wasn't taking chances and that was a snippet I had laying around. Anyway, my MD5 hashes now match in .Net, Flash and PHP - w00t! Previous Comments: ------------------------------------------------------------------------ [2008-07-29 11:55:55] [EMAIL PROTECTED] Maybe you want to add what the problem was, so that others can find that possibly here and don't waste time in the future :) ------------------------------------------------------------------------ [2008-07-29 11:48:23] tom at tdwright dot co dot uk </stupidity> Scratch all of the above. And please accept my most sincere apologies for wasting your generously donated time. ------------------------------------------------------------------------ [2008-07-29 11:34:21] tom at tdwright dot co dot uk OK, so if the encoding doesn't matter, something else is wrong. Take a look at this script: http://tdwright.co.uk/phpplayground/scribesense/pollscript.php?hash=ecb38fcfc2a18b712ed3dea22a3a65e7 It takes a hashed key/lock pair generated by a remote non-php client and compares it to a hash of the same string produced locally by php. For debugging purposes I've told it to output the string to be hashed, the local hash and the supplied hash. Note that the hash generated by two different online md5 generators (http://www.miraclesalad.com/webtools/md5.php and http://md5.br-design.co.uk/) both agree with the value produced by the non-php MD5. You've marked this as bogus because I attributed the fault incorrectly, but that doesn't mean MD5 works properly and I maintain that this is a bug. Your quick response however, was certainly appreciated as I've been pulling my hair out! =) ------------------------------------------------------------------------ [2008-07-29 04:57:32] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php md5 always takes the argument as a bit vector rather than a string of letters, i.e. no encoding matters. If your script is written in ISO- 8559-15 and you passed an embedded string literal to md5(), the result is the hash of a ISO-8859-15 string, even though the script accepts HTTP requests that are supposed to be in UTF-8. ------------------------------------------------------------------------ [2008-07-29 02:39:47] tom at tdwright dot co dot uk Description: ------------ It seems that the MD5 function in php uses the UTF7 encoding of a string for the algorithm. Every other implementation seems to use UTF8. Finding out about this discrepancy was not easy as a) The programming community at large presumably takes it for granted that MD5 uses a UTF8 encoded string b) PHP programmers don't often need to compare their PHP generated hashes with those generated outside of PHP. It's a really annoying quirk and I'd love to see a change (even if it's an option). Reproduce code: --------------- <?php $hash_from_another_lang = $_POST['hash1']; $php_hash = md5("hashtext"); return ($hash_from_another_lang == $php_hash); ?> Expected result: ---------------- true MD5 hashes should match wherever they are generated. Actual result: -------------- false The PHP implementation of the MD5 algorithm produces hashes which are incongruent with the results of any other (AFAIK) MD5 implementation. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=45650&edit=1