MD5 Trouble

Shawazi

My credit card gateway "does not use HMAC-MD5 for this security
feature. Only plain MD5 (per RFC 1321) is necessary. "

My code is:

$string = "correctinformation";
$test =  md5($string);

Printing $test shows a different value. What could be going on?

bradgrafelman

If $string's value is literally correctinformation then $test should output 0ca8c64ada90485224b22d3ee47a90d3 .

Other than that, I don't understand your question. Are you saying that your calculated MD5 hash doesn't match the gateway's calculated hash of some unencrypted data?

Shawazi

The quote I gave is the reason they told me. My hash isn't matching theirs even though it is the same data going into the hash. One odd thing to me is that their hash is in all caps. Is there some other way to hash with php?

bradgrafelman

You'll have to ask for more information from them, such as some examples perhaps.

PHP's native [man]md5/man function follows the guidelines set forth by RFC 1321. If they are using all caps, you might try using [man]strtoupper/man as well.

Shawazi

They say they use that, i think I'll have to go back tomorrow and find a higher techie guy at their support. ha

Weedpacket

Show us one of your hashes, and show us one of theirs: preferably for the same input string (if you can supply that as well, all the better).

Shawazi

I can't show that info unforunately. It is a value I create and put on the server, a login id, a transaction id, and the amount. It's something like

$myhash.$mylogin.$mytrans.$myamount

In test mode $mytrans is 0, could this be influencing it somehow?

bradgrafelman

Shawazi wrote:
In test mode $mytrans is 0, could this be influencing it somehow?

Well, it'll influence it by adding a 0 into the unhashed value. If this variable isn't being set properly then of course it will affect your MD5 output... because you won't have the same unencrypted string to begin with.

That's why Weedpacket and I were both suggestion a "test" transaction or authentication for debugging purposes - this helps to verify that your unencrypted string matches their unencrypted string. This is most likely your problem, as we've established that both your server and theirs are using the standard MD5 hashing algorithm.

Shawazi

The transaction ID is zero so I put in zero for my value. It works that I get the transaction ID from them, during a test. Their hash should be made up of

$myhash.$mylogin.$mytrans.$myamount

which equates to

AValueAValue0AnAmount

I'm matching that as far as I know. They return the zero, but not the other 3 values. The other 3 values I send them so we should infer they are the same. But because we can't figure that out I'm going to be giving a call most likely.