Skip to main content

MD5 Hashing in PHP: md5() Function Guide

Learn PHP MD5 hashing with md5() and md5_file(). File integrity checks, why not to use MD5 for passwords, and migration to password_hash().

How to Generate MD5 Hashes in PHP

PHP provides md5() as a built-in function that returns a 32-character hexadecimal hash. It also includes md5_file() for hashing file contents directly without reading them into memory. These are some of the most commonly used functions in PHP, but it is critical to understand what they should and should not be used for.

Basic Usage

<?php
// Hash a string
echo md5(\"Hello, World!\"); // 65a8e27d8879283831b664bd8b7f0ad4

// Raw binary output (16 bytes instead of 32 hex chars)
$raw = md5(\"Hello, World!\", true);
echo strlen($raw); // 16

// Hash comparison
$expected = \"65a8e27d8879283831b664bd8b7f0ad4\";
if (hash_equals($expected, md5(\"Hello, World!\"))) {
    echo \"Match!\";
}
// Always use hash_equals() to prevent timing attacks

File Integrity with md5_file()

<?php
// Hash a file directly (memory-efficient for large files)
$checksum = md5_file(\"/path/to/download.zip\");
echo \"MD5: \" . $checksum;

// Verify a download against a known checksum
$expected = \"abc123def456...\";
if (md5_file(\"plugin.zip\") !== $expected) {
    die(\"File integrity check failed! Do not install.\");
}

// Compare two files for identical content
if (md5_file(\"file_a.txt\") === md5_file(\"file_b.txt\")) {
    echo \"Files are identical\";
}

WARNING: Never Use md5() for Passwords

This is the single most important thing to know about MD5 in PHP. Using md5() to hash passwords is a critical security vulnerability that has led to millions of account compromises. The reasons:

  • Speed is the enemy — MD5 is designed to be fast. Modern GPUs can compute 50+ billion MD5 hashes per second, making brute-force trivial.
  • No saltmd5($password) always produces the same hash for the same input, enabling rainbow table attacks.
  • Collisions exist — two different inputs can produce the same MD5 hash, a proven vulnerability since 2004.

Use password_hash() Instead

<?php
// CORRECT: Use password_hash() with bcrypt (default) or Argon2
$hash = password_hash(\"user_password\", PASSWORD_DEFAULT);
// Produces: $2y$10$... (bcrypt with random salt, cost factor 10)

// Verify a password
if (password_verify(\"user_password\", $hash)) {
    echo \"Password correct\";
}

// Migrating from MD5 to bcrypt
// On login, if old md5 hash matches, rehash with password_hash()
if (md5($input) === $stored_md5_hash) {
    $new_hash = password_hash($input, PASSWORD_DEFAULT);
    // UPDATE users SET password = $new_hash WHERE id = $user_id
}

Legitimate Uses for md5() in PHP

  • Cache key generationmd5($query . serialize($params)) for database query caching
  • File change detectionmd5_file() to detect when assets need cache-busting
  • ETag headersheader(\"ETag: \" . md5_file($filepath)) for HTTP caching
  • Content-addressable storage — organizing files by their MD5 hash in non-adversarial systems

Try MD5 Generator Free

Generate MD5 hash from any text.

Use MD5 Generator →