View comments | RSS feed

Hash

Description

Converts a variable-length string to a fixed-length string that can act as a "fingerprint" or unique identifier for the original string. It is not possible to convert the hash result back to the source string.

Returns

A string.

Category

Conversion functions, Security functions, String functions

Function syntax

Hash(string[, algorithm[, encoding]] )

History

ColdFusion MX 7: Added the algorithm and encoding parameters.

Parameters

Parameter Description

string

String to hash.

algorithm

(Optional) The algorithm to use to hash the string. ColdFusion MX installs a cryptography library with the following algorithms:

  • CFMX_COMPAT: Generates a hash string identical to that generated by ColdFusion MX and ColdFusion MX 6.1 (default).
  • MD5: (Default) Generates a 32-character, hexadecimal string, using the MD5 algorithm (The algorithm used in ColdFusion MX and prior releases).
  • SHA: Generates a 28-character string using the Secure Hash Standard SHA-1 algorithm specified by Nation Institute of Standards and Technology (NIST) FIPS-180-2.
  • SHA-256: Generates a 44-character string using the SHA-256 algorithm specified by FIPS-180-2.
  • SHA-384: Generates a 64-character string using the SHA-384 algorithm specified by FIPS-180-2.
  • SHA-512: Generates an 88-character string using the SHA-1 algorithm specified by FIPS-180-2.

If you install a security provider with additional cryptography algorithms, you can also specify any of its hashing algorithms.

encoding

(Optional; to use this attribute you must also specify the algorithm parameter) A string specifying the encoding to use when converting the string to byte data used by the hash algorithm. Must be a character encoding name recognized by the Java runtime. The default value is the value specified by the defaultCharset entry in the neo-runtime.xml file, which is normally UTF-8. Ignored when using the CFMX_COMPAT algorithm.

Usage

The result of this function is useful for comparison and validation. For example, you can store the hash of a password in a database without exposing the password. You can check the validity of the password by hashing the entered password and comparing the result with the hashed password in the database.

ColdFusion MX 7 uses the Java Cryptography Extension (JCE) and installs a Sun Java 1.4.2 runtime that includes the Sun JCE default security provider. This provider includes the algorithms listed in the Parameters section. The JCE framework includes facilities for using other provider implementations; however, Macromedia cannot provide technical support for third-party security providers.

The encoding attrbute is normally not required. It provides a mechanism for generating identical hash values on systems with different default encodings. ColdFusion uses a default encoding of UTF-8 unless you modify the defaultCharset entry in the neo-runtime.xml file.

Example

The following example lets you enter a password and compares the hashed password with a hash value saved in the SecureData table of the cfdocexamples database. This table has the following three entries:

User ID Password

blaw

blaw

dknob

dknob

 
<h3>Hash Example</h3>

<!--- Do the following if the form is submitted. --->
<cfif IsDefined("Form.UserID")>

   <!--- query the data base. ---> 
   <cfquery name = "CheckPerson" datasource = "cfdocexamples">
      SELECT PasswordHash
      FROM SecureData
      WHERE UserID = <cfqueryparam value = "#Form.userID#"
         cfsqltype = "CF_SQL_VARCHAR"> 
   </cfquery>

   <!--- Compare query PasswordHash field and the hashed form password
         and display the results. --->
   <cfoutput>
      <cfif Hash(Form.password, "SHA") is not checkperson.passwordHash>
         User ID #Form.userID# or password is not valid. Try again.
      <cfelse>
         Password is valid for User ID #Form.userID#.
      </cfif>
   </cfoutput>
</cfif>

<!--- Form for entering ID and password. --->
<form action="#CGI.SCRIPT_NAME#" method="post">
   <b>User ID: </b>
   <input type = "text" name="UserID" ><br>
   <b>Password: </b>
   <input type = "text" name="password" ><br><br>
   <input type = "Submit" value = "Encrypt my String">
</form>

ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | KnowledgeBase | Bug Reporting

Version 7

Comments


bob2cam said on Mar 11, 2005 at 7:43 AM :
I've copied the Hash example code to cfm page. When I attempt to run the page, I get a "sql missing operator error". If I remove the cfqueryparam from the WHERE statement and just use WHERE UserID = '#FORM.UserID# ' it works fine. Can someone explain how I would use the cfqueryparam in this type of situation?
BOBCAMPBELL said on Mar 12, 2005 at 3:32 AM :
Note: When I said it worked fine I was mistaken. I'm using Dreamweaver and it worked without cfqueryparam when tested inside the Recordset wizard box by clicking the Test button and entering 12. It returned the right recordset.
Either way it does not work when tested in the browser. Bob
Mechro said on Mar 15, 2005 at 11:33 AM :
Um...the problem you fellas are having with the example is because the cfqueryparam cfsqltype attribute is "CF_SQL_CHARVAR" in the code example.

Try CF_SQL_VARCHAR and see how it works.
BOBCAMPBELL said on Mar 16, 2005 at 1:12 AM :
Thanks! I thought that was really going to fix it! But no such luck. The results are the same, "User ID 12 or password is not valid. Try again. " I wonder if it has something to do with jsessions?
jrunrandy said on Mar 16, 2005 at 7:12 AM :
In addition to the CF_SQLCHARVAR problem,
the specified userID/pw combinations don't seem to work. I opened the securedata database table
and found two more users, both of which worked for me: blaw, with password blaw and dknob with password
dknob.

Hope this helps.
override11 said on Apr 6, 2005 at 1:24 PM :
I think everyone is missing the point... this is not supposed to be a cookie-cutter code sample, its supposed to show you how to use the hash() function. I think it does that just fine =)
BOBCAMPBELL said on Apr 6, 2005 at 2:54 PM :
The point was twofold. One the sample did not work and two, the documentation was not accurate. I received a very quick response from MM, it will be noted for the next version of the documentation.
sthompson said on Nov 3, 2005 at 10:41 PM :
The docs are wrong about how big the returned strings are. I ran the following code below and these are the results I got.

Hash("This is a string to hash", "MD5") - 32 characters
Hash("This is a string to hash", "SHA") - 40 characters
Hash("This is a string to hash", "SHA-256") - 64 characters
Hash("This is a string to hash", "SHA-384") - 96 characters
Hash("This is a string to hash", "SHA-512") - 128 characters
Hallow said on Jan 7, 2006 at 3:26 PM :
The numbers in the docs appear to be correct for base64 encoded data. For example, a raw binary SHA hash is 20 chars. HEX is 40 chars. Base64 is 28chars. You can convert from HEX to Base64 (which is required by LDAP for example), like so:

base64SHA = toBase64(binaryDecode(hash(form.myPassword,'SHA-1'),'hex'));
Zoramite said on Feb 5, 2007 at 12:41 PM :
On a editorial note, you have the text: 'This table has the following three entries:' when there are only two entries in the table listed.
ASandstrom said on Feb 5, 2007 at 1:40 PM :
Thanks for the info - I've updated the doc for the next release of ColdFusion.
No screen name said on Mar 24, 2008 at 6:59 AM :
In the documentation, it says both the CFMX_COMPAT and MD5 algorithms are default.
halL said on Apr 2, 2008 at 2:30 PM :
The documentation is unclear. MD5 and CFMX_COMPAT both use the MD5 algorithm, so they are both, effectively, the default.
No screen name said on May 29, 2008 at 1:34 PM :
Just a note for people comparing hashes with other languages, the hash() function returns an uppercase hex string whereas a lot of other languages will return a lowercase hex string

so if you try
toBase64(Hash('apple','SHA'))

and try to match it with php code
base64_encode(sha1('apple'));

you'll need to change your code too
toBase64( LCase( Hash('apple','SHA') ) )

 

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/7/htmldocs/00000503.htm