B4J Tutorial [BANano] Getting the Md5 Hash of a string

Mashiane

Expert
Licensed User
Ola

Was recently requested to look at this by a friend...

1. Download this repo here to get the md5 javascript resource

https://github.com/blueimp/JavaScript-MD5

2. In your BANano project, add the javascript file
B4X:
BANano.Header.AddJavascriptFile("md5.min.js")
3. Add this code to your code module in your project

B4X:
'get md5hash
Sub Md5Hash(value As String, key As String, raw As Boolean) As String
    Dim res As Object = BANano.RunJavascriptMethod("md5", Array(value, key, raw))
    Return res
End Sub
4. Usage

B4X:
Log(Md5Hash("TheMash", Null, False))
    Log(Md5Hash("TheMash", "AneleMbanga", False))
    Log(Md5Hash("TheMash", Null, True))
    Log(Md5Hash("TheMash", "AneleMbanga", True))
5. Output.

md5hash.png


One can use this to store hashed passwords in the database, checksums to verify data integrity, detect unintentional data corruption depending on the complexity ones need.

Enjoy.
 
Last edited:

Mashiane

Expert
Licensed User
I guess this is transpiled by BANano. Isn't your password exposed then?
Because hashing is one way, one can implement this by...

1. On a user registration screen, you ask for the password, you don't save the actual password on the db but then hash it and save the hashed password on the db using this option for example.

B4X:
Dim save2db As string = Md5Hash(<UserPassword>, Null, False))
2. On the login screen, you ask the password of the user, this is then hashed using the same hash method you did for the registration.

3. You then compare the hashed value in the db and the one the user is using to login. If the hash values match, then a successful login is ensured, if not the passwords do not match and no login is done.

In both cases, the real password never actually gets revealed.

In this scenario, you have a system that DOES NOT KNOW peoples passwords like MegaSync for example.
 
Last edited:

alwaysbusy

Expert
Licensed User
And the DB is on the server side of course because MD5 is vulnerable to brute force attacks and as it is a fast hash, one can relatively quick find a plain text match that generates a desired hash, especially with passwords.

It is always better to do all encryption on the server side using something strong like bcrypt and you can protect yourself against brute force attacks e.g. with a DoS filter.
 
Top