Verifying utf8 data using salt + md5

General PHP Help
#1

Hi,

I am having a problem sending some score data for my game that I want to stop the average Joe from hacking.

This is what I have:

  • concat all my strings into one long hash string
  • add a salt string
  • make a md5 hash using the bytes of the hash string encoded using utf8
  • send an http POST using Content-Type: application/x-www-form-urlencoded

Here is the Java

StringBuffer	sb = new StringBuffer( 512 );

sb.append( name );
sb.append( score );
sb.append( SECRET );
			
DigestMD5	md5 = new DigestMD5();
			
md5.reset();
md5.update( sb.toString().getBytes( "UTF-8" ) );
			
String	hash = md5.digestString();

sb.append( "&name=" );
sb.append( URLUTF8Encoder.encode( name ) );
sb.append( "&score=" );
sb.append( score );
sb.append( "&hash=" );
sb.append( URLUTF8Encoder.encode( hash ) );

On the other end, the php script takes the data and tries to verify the hash. It doesn’t seem to work for all encodings.

[php]
$name = mysql_real_escape_string( $_POST[‘name’], $db );
$score = mysql_real_escape_string( $_POST[‘score’], $db );
$hash = $_POST[‘hash’];

$hashString = $name.$score.$SECRECT;
$realHash = md5( utf8_encode( $hashString ) );
[/php]

My host is running php 5. Any help would be very much appreciated.

#2

Have you tried outputting the form data in the format it is sent (Java), the format in which it is received (PHP) and the hashes at both ends?

#3

I have logged everything on the php end and I seem to get data that looks encoded. Here is one of the entries. The name and score looks fine but the hashes don’t match.

Invalid hash!
name: [إبدللعزيز]
score: [2100]
hash: [18d12434a2b60f3f39b4bcdd0b993d60]
die: Server down try again later.

I assume the name is utf8 but I can’t be sure. The Android side is harder since it only happens on customer phones. So no I haven’t been able to log that.

Does the php side seem to be correct at least?

#4

I think I have fixed it. It clicked in when I wrote that I assumed the string were utf8. It looks like I was encoding it to utf8 again.

[php]$realHash = md5( utf8_encode( $hashString ) );[/php]

became

[php]$realHash = md5( $hashString );[/php]

and there was much rejoicing.

Thank you for you time.

Sponsor our Newsletter | Privacy Policy | Terms of Service