Working with MD5 hash - help please?


I have a system whereby users sign up to my website. On signing-up a unique number for that person is generated like so:

$activation_code = rand(); 

So for example that number could be 199603500 and this value is saved to my database.

Now users are then sent a link on email to click to activate that code, but instead of sending the rand() number as it is in the database I hash that number saved in the database with MD5:


So the link sent to the user may look something like:


Now this is fine, but what I want to simply do now is when the link is clicked and the user goes to the activation page this query is run:

$act = (int) $_GET['code'];
$query = "UPDATE tbl SET live = '1' WHERE activation_code = $act"; 

But wondering how could I run this query so when I $_GET the code the MD5 activation code is decoded so a1b2032cas354d26075418695241ba3e6a is changed to 199603500 so my query works?



$act = mysql_real_escape_string($_GET['code']); 

$query = "UPDATE tbl SET live = '1' WHERE activation_code = '$act'"; 

Don’t miss those quotes around $act :wink:

Either use mysql_real_escape_string or similar, prepared statements, or pdo

Thanks, quick question though if I send it out as MD5 hashed I can’t typecast it as an int as it now has characters in it:

$act = (int) $_GET['code']; 
$query = "UPDATE tbl SET live = '1' WHERE activation_code = $act";  

So how would I now make it completely safe so an evil user can’t add something to the query like

UPDATE tbl SET live = '1' WHERE activation_code = $act OR 1;--' 


You can’t. MD5 is a one way encryption. What you should do is save the hashed value in your database, so the code in your DB and the code you mail to the user are the same.