Commonly passwords are encoded with MD5 on web sites. I’m considering encoding user names as file names in MD5 too. I’d use PHP on a Linux based server. Are there any drawbacks to encrypting a file name with PHP to MD5 besides being indistinguishable without decryption?
<? php
if(isset($_POST['register'])){
$username = md5($_POST['username']);
$email = htmlentities($_POST['email'], ENT_QUOTES|ENT_XML1);
$password = $_POST['password'];
$c_password = $_POST['c_password'];
$xml = new SimpleXMLElement('<user></user>');
$xml->addChild('password', md5($password));
$xml->addChild('email', $email);
$xml->asXML('users/'.$username . '.xml');
header('Location: validate.php');
die;
}
?>
Any Linux filesystem you’re using can accept any character in a filename except for the directory separator. So why don’t you either replace any / characters with something else or, better yet, reject any attempt to register with a username that contains a / (and probably any other nonprintable character)? “Oh, but what about collisions”? If you’re using a hashing algorithm, you’re not eliminating the possibility of collisions, you’re just reducing it while adding useless computational complexity. To generate a unique identifier, either use an incrementing value (like Unix does with “User IDs”) or just generate a uuid: http://php.net/manual/en/function.uniqid.php – and store that mapping in a database.
Maintaining a mapping of usernames to IDs is what everyone else does for a reason. 🙂