Correct handling of hash in redirect url

url

client

php

necessary

turns

hash

md5

md5passwd

clientid

bamberg 2012-09-03 05:34:57 UTC #1

I just wanted to share my findings on the hash option in the redirect URL, because it took me a while to find all the necessary information and put it together.

Here is some php code to check, if the url is valid or has been tampered with:

<?php

$hash=$_GET['hash'];

$url="http://".$SERVER["SERVERNAME"] . $SERVER["REQUESTURI"];

$url=str_replace ("&hash=".$hash, "", $url);

$md5passwd="the md5 sum of my password";

$clientid="my client id number, which I found in the seller admin > account summary menu";

$expected_hash=md5($clientid.$md5passwd.$url);

if ($expected_hash != $hash) { ?>

What was mostly unclear to me from the documentation was

1) what the client id is

2) which parts of the url are included in the hash (turns out, it were all of them :)

I hope this helps to save some elses time,

Brian

E-junkie_Guru 2012-09-04 18:32:58 UTC #2

Thanks for providing that validation code example! I've updated our Redirection help page to include that code and clarify the parts you weren't sure about. :^)

biomedware 2022-07-15 18:02:23 UTC #3

Just struggled through the md5 redirect hash calc with .net 6 (asp.net) as I wasn't exactly sure if the redirection url was just the querystring or the absolute path, including the querystring. (even after reading the docs, it wasn't exactly clear for those of us who are not PHP devs)

A bit of clarification may help:

The hash is calc'd off the the fully qualified url, excluding the &hash=<val> parameter. So, if the redirect url is:

https://example.com/e-junkie?payer_email=joe.dirt%40hash.fyi&txn_id=jg-2LIVRB-RX2WAW5FB112F9C&first_name=Joe&last_name=dir&payment_status=Completed&currency=USD&client_id=123456&gross=99.00&hash=ef548cb791f36319940520fb31b45b4f

Then the hash is based off:

https://example.com/e-junkie?payer_email=joe.dirt%40hash.fyi&txn_id=jg-2LIVRB-RX2WAW5FB112F9C&first_name=Joe&last_name=dir&payment_status=Completed&currency=USD&client_id=123456&gross=99.00

In the .net world, the process of calc'ing the hash is:

string expectedHash = Request.Query.TryGetValue( "hash", out var val ) ? val : "";

string url = Request.GetDisplayUrl().Replace( $"&hash={expectedHash}", "" );

string ourHash = Utils.CalcMd5( EJunkieClientId + Utils.CalcMd5( EJunkieLoginPassword ) + url );

bool valid = string.Equals( expectedHash, ourHash, StringComparison.Ordinal );

Where the Utils.CalcMd5 method is an implementation of calc'ing the md5 hash.

HTH's

SOLUTIONS FEATURES PRICING DISCOVER PRODUCTS CONTACT HELP DOCS DASHBOARD

Forum

E-junkie Community Forum

Share and learn in the E-junkie community.