This function is used quite frequently to transform a string into a non human readable string. It’s often referred to as encryption but something that’s been encrypted can be decrypted and returned to its orginal format. md5() is a one way ticket - you get a 32 character string of hexidecimal values.

It is possible, though, to find the original value if you have what’s known as a “look up table” or “rainbow table” which is a list of md5 hashes and corresponding original strings. Obviously, such a table would never be complete, but the most common values can be stored there.

These look up tables are used by some to “decrypt” an md5′d password for example. For these purposes, the table wouldn’t have to be complete due to the issue of “collisions”.

Because md5() always returns a 32 character string and accepts any string as input, some values of input will create the same output. That is, not every md5 hash will be unique. This is what’s known as a collision.

Collisions occur because we are maping an infinate set (any string) to a finite set (a 32 character string). While there are over 340 sextillion (10^36) possible combinations (more precicely, 16^32), the possability of a collision exists (md5 was “broken” in 2005).

$str1 = "Cross Eyed Mary";
$str2 = "Thick as a Brick";
$str3 = "Thick as 1 Brick";
 
$hash1 = md5($str1); // a5c1be55058c42bcaaed0a01761fb445
$hash2 = md5($str2); // 3fdb7886abc3cbaced1b5ac8f2bc3c45
$hash3 = md5($str3); // d684cce44bac34982d6252c7a54772be

As you can see, changing one character in the string (”a” to “1″) produces a completely different result.

With the second parameter set to true, the function will return the raw binary format with a length of 16. The default is false.

$str1 = "Cross Eyed Mary";
$hash1 = md5($str1); // ¥Á¾UŒB¼ªí 
v´E

Note: Due to the existance of rainbow tables and the occurance of collisions, a plain md5 hash is almost as good as plain text to a hacker with resources. Look into “salting” your hashes for more security.