Sep 2012
2 / 3
Sep 2012
Jul 2022
bamberg
Sep '12

I just wanted to share my findings on the hash option in the redirect URL, because it took me a while to find all the necessary information and put it together.



Here is some php code to check, if the url is valid or has been tampered with:



<?php

$hash=$_GET['hash'];

$url="http://".$SERVER["SERVERNAME"] . $SERVER["REQUESTURI"];

$url=str_replace ("&hash=".$hash, "", $url);

$md5passwd="the md5 sum of my password";

$clientid="my client id number, which I found in the seller admin > account summary menu";

$expected_hash=md5($clientid.$md5passwd.$url);

if ($expected_hash != $hash) { ?>



What was mostly unclear to me from the documentation was



1) what the client id is

2) which parts of the url are included in the hash (turns out, it were all of them :)



I hope this helps to save some elses time,

Brian

  • created

    Sep '12

  • last reply

    Jul '22
  • 2

    replies

  • 1.3k

    views

  • 3

    users

E-junkie_GuruWebmaster & Support Guru
Sep '12

Thanks for providing that validation code example! I've updated our Redirection help page to include that code and clarify the parts you weren't sure about. :^)

9 years later
biomedware
Jul '22

Just struggled through the md5 redirect hash calc with .net 6 (asp.net) as I wasn't exactly sure if the redirection url was just the querystring or the absolute path, including the querystring. (even after reading the docs, it wasn't exactly clear for those of us who are not PHP devs)

A bit of clarification may help:

The hash is calc'd off the the fully qualified url, excluding the &hash=<val> parameter. So, if the redirect url is:

https://example.com/e-junkie?payer_email=joe.dirt%40hash.fyi&txn_id=jg-2LIVRB-RX2WAW5FB112F9C&first_name=Joe&last_name=dir&payment_status=Completed&currency=USD&client_id=123456&gross=99.00&hash=ef548cb791f36319940520fb31b45b4f

Then the hash is based off:

https://example.com/e-junkie?payer_email=joe.dirt%40hash.fyi&txn_id=jg-2LIVRB-RX2WAW5FB112F9C&first_name=Joe&last_name=dir&payment_status=Completed&currency=USD&client_id=123456&gross=99.00

In the .net world, the process of calc'ing the hash is:

string expectedHash = Request.Query.TryGetValue( "hash", out var val ) ? val : "";

string url = Request.GetDisplayUrl().Replace( $"&hash={expectedHash}", "" );

string ourHash = Utils.CalcMd5( EJunkieClientId + Utils.CalcMd5( EJunkieLoginPassword ) + url );

bool valid = string.Equals( expectedHash, ourHash, StringComparison.Ordinal );

Where the Utils.CalcMd5 method is an implementation of calc'ing the md5 hash.

HTH's