Posts: 2
Registered: ‎03-27-2019

I am currently using PHP SIM do I need to update MD5 ?

Recently my site started giving errors at checkout, now I am realizing that it might be the fact that I am using MD5. Below is my current code, can anyone give me some direction? I have read the upgrade info but still am unsure. Here is the code I am currently passing my $loginid and $txnkey. Thank you for any help with this!


// Main Interfaces:
// function InsertFP ($loginid, $txnkey, $amount, $sequence) - Insert HTML form elements required for SIM
// function CalculateFP ($loginid, $txnkey, $amount, $sequence, $tstamp) - Returns Fingerprint.

// compute HMAC-MD5
// Uses PHP mhash extension. Pl sure to enable the extension
function hmac ($key, $data)
return (bin2hex (mhash(MHASH_MD5, $data, $key)));

// Calculate and return fingerprint
// Use when you need control on the HTML output
function CalculateFP ($loginid, $txnkey, $amount, $sequence, $tstamp, $currency = "")
return (hmac ($txnkey, $loginid . "^" . $sequence . "^" . $tstamp . "^" . $amount . "^" . $currency));

// Inserts the hidden variables in the HTML FORM required for SIM
// Invokes hmac function to calculate fingerprint.

function InsertFP ($loginid, $txnkey, $amount, $sequence, $currency = "")

$tstamp = time ();

$fingerprint = hmac ($txnkey, $loginid . "^" . $sequence . "^" . $tstamp . "^" . $amount . "^" . $currency);

echo ('<input type="hidden" name="x_fp_sequence" value="' . $sequence . '">' );
echo ('<input type="hidden" name="x_fp_timestamp" value="' . $tstamp . '">' );
echo ('<input type="hidden" name="x_fp_hash" value="' . $fingerprint . '">' );
echo "\n<input type='hidden' name='x_login' value='$loginid'>\n";

return (0);

All Star
Posts: 725
Registered: ‎11-05-2018

Re: I am currently using PHP SIM do I need to update MD5 ?

I don’t think your current error is due to md5. That still works until sometime in June on the production environment. If you can’t pull up a form it is certainly not due to md5 as that has no EOL announced for the fingerprint. To answer your question in broader terms, you will need to update your response verification in the next few months, or your application will break. You either need to implement sha512 or disable verification. Md5 won’t be an option.