My site deals with peoples paypal email addresses so people can pay each other directly into their paypal accounts from my site. Each persons email is stored as md5 on my site, how safe is this? Is there anything else i could do.
The problem is if someone worked out how to change peoples emails on my site people could end up paying money into the wrong accounts. ie the hackers account.
2007-02-13 04:07:04 · 3 answers · asked by peter s 1 in Computers & Internet ➔ Programming & Design
An MD5 hash is one-way and fairly secure. One has to have a fairly reasonable idea of what the original string was to decrypt the hash.
It is possible that two strings, very closely related to one another, will create the same MD5 hash (a "collision"). However, the probability of this is so remote, I wouldn't worry about it.
2007-02-13 04:11:45 · answer #1 · answered by Anonymous · 1⤊ 0⤋
Though there are hacks for MD5 its one of the better options for encrypting information in php with MySQL (it runs at 128 encryption). Thing is do you ever have to get these email address from the databases too? If thats the case you might want to go with AES_ENCRYPT(). It runs at 128 bit encryption and can be modified up to 256. Using this will let you use the AES_DECRYPT function as well which means instead of having one way MD5 you now have the ability to get the email address back from the database say if a user forgets their user name and you need to compare it to an email address or incase they forgot which email they inputted. Also, if you are using these email addresses in the transaction process how are you accessing them with them being in MD5() (theres no decrypt for MD5()). You shouldn't be able to refer cause you would be getting a 32 character string not the users email address so that one can pay the other. Also as a note you can always SHA(MD5($x)) - or something that uses 2 encryption techniques aslong as you put comparisons the same way such as "WHERE email=SHA(MD5($x))"
2007-02-13 13:10:27 · answer #2 · answered by Big D 4 · 0⤊ 0⤋
From reading your question I see a few issues.
1. md5 is a one way encryption. So if you encrypt the email in the database it becomes no use to you.
2. You will not be able to decrypt this information so customers couldn't pay each other.
You should look for two encryption schemes with public private keys. But you need to make sure you understand the risks before you set your self up with the liability.
2007-02-16 01:14:49 · answer #3 · answered by Anonymous · 0⤊ 0⤋