View comments | RSS feed
Contents > CFML Reference > ColdFusion Functions > Hash PreviousNext

Hash

Converts a variable-length string to a 32-byte, hexadecimal string, using the MD5 algorithm. (It is not possible to convert the hash result back to the source string.)

32-byte, hexadecimal string

Conversion functions, Other functions, String functions

Hash(string)

Parameter

Description

string

A string or a variable that contains one.

The result is useful for comparison and validation. For example, a developer can store the hash of a password in a database without exposing the password. The developer can check the validity of the password with the following code:

<cfif hash(form.password) is not myQuery.passwordHash>
  <cflocation url = "unauthenticated.cfm">
</cfif>


<!--- How to use Hash for password validation. This assumes that UserID 
value is passed to this page with a URL parameter. --->
<h3>Hash Example</h3>

<cfquery name = "CheckPerson" datasource = "UserData">
   SELECT PasswordHash
   FROM SecureData
   WHERE UserID = <cfqueryparam value = "#UserID#"
      cfsqltype = "CF_SQL_CHARVAR"> 
</cfquery>

<cfif Hash(form.password) is not checkperson.passwordHash>
  <cflocation url = "unauthenticated.cfm">
<cfelse>
   ...
</cfif>
Contents > CFML Reference > ColdFusion Functions > Hash PreviousNext

ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting

Version 6.1

Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.

Comments


frinky!!! said on May 17, 2004 at 6:05 AM :
This example is extremely bad coding!
In the comment it is said that ' assumes that UserID value is passed to this page with a URL parameter', so why don't you scope it then Maybe check for the existence of it?!
Then, second: you are querying a table, and assume we've got results back...
A check for recordcount would be quite handy, would it not?
I can understand you don't want to make your examples too complicated, but this is just plain worthless.
Ike23 said on Sep 3, 2004 at 2:11 PM :
I actually like the fact that the code was simple and straight to the point. All I want to know is how to use the Hash() function to secure my passwords. This artilce answered my question perfectly. I'm glad I didn't have to read through a bunch of <cfif query.recordcount> code...
deepu_verma said on Sep 10, 2004 at 12:20 AM :
Can the hexadecimal code be converted back to string, by any method?
oneishy_ said on Sep 10, 2004 at 10:02 AM :
The coldfusion Hash function is an implementation of MD5 per the link below. MD5 is a one way hash function so you can't go bacwards.

http://www.macromedia.com/devnet/server_archive/articles/understanding_encrypt.html#999931
webdev101 said on Sep 10, 2004 at 11:24 AM :
Is hash() 100% unique?
KiraganJeff said on Sep 27, 2004 at 12:01 PM :
The point of hash() isn't uniqueness. Use CreateUUID() for that. From my understanding of MD5 encryption, every time you enter the same value, you will get the same result, but every unique value entered would necessarily have a unique result.
pete_freitag said on Jan 25, 2005 at 12:16 PM :
In the example, there is no CF_SQL_CHARVAR type for CFQUERYPARAM - it should be CF_SQL_VARCHAR

unless CF_SQL_CHARVAR is an undocumented type?
No screen name said on Jan 31, 2005 at 6:21 AM :
the code example is using FORM.password which would not be passed via URL because it would be prefixed URL.password.
paulfeakins said on Jul 8, 2005 at 10:31 AM :
I have to agree with Ike23, it's much clearer this way, without all of the <cfif>s etc. that one might otherwise include. It answered my question straight away too.

 

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/6.1/htmldocs/funct113.htm