I'm building a site that's going to be doing some validation of various transactions via email, etc. To verify that the user is who they say they are, I'm stringing a bunch of info together like user name, password, etc. and then hashing it or encrypting it or whatever to place into a link in the email message sent to the client. I'm wondering what the best method is. I see crypt, sha1, MD5, mcrypt and all of that stuff, but I've been unable to find any definitive answer as to which is most secure ... in fact I can't even tell what the difference between them is.
I'm assuming (and that's a big assumption) that sha1 is more secure because it's newer to PHP than crypt or MD5. Then there's mcrypt.
I understand that mcrypt is encryption and MD5 is hashing. And I think I understand that hashing is one-way encryption -- meaning you can't get the data back out like you can with other encryption techniques.
Currently I had been using crypt to do the work, but when I moved the code from my test server to the live server, I'm getting different results with the crypt function than expected. So I'd like to switch to something else that is consistent on both machines and had been looking at mcrypt. However I will still need to one-way encrypt the password.
What's the best method to accomplish this and still end up with strings that can be used in a URL (no offending characters)?
Thanks for any help you have to offer.
-- Christopher
