Now, to give you credit, you could at least verify that the people hadn't switched up the data from form to form with this. That isn't an unimportant task and worthy of implementing even if the users decides to go with SSL only and just let HTTP and the browser resend the arguments over and over.

That's actually easy to do. Each time the page loads, you just create a massive distributed computing project to try all possible usernames and passwords.

Might be a little slow, though.

No. The way a hash digest works is to allow you to REHASH the 2 params and the key (in the same order), and see if the hash is the same. It will be if the params have not been tampered with. You sound like you want real encryption. Here are a few handy functions:

my $key = "this key must be kept secret!";

sub generate_MD5_hash {
    my ( $plain_text ) = @_;
    $plain_text = '' unless defined $plain_text;
    require Digest::MD5;
  return Digest::MD5->new->add( $plain_text . $key )->hexdigest;
}

sub validate_MD5_hash {
    my ( $hash, $plain_text ) = @_;
  return 0 unless $hash;
  return 0 unless defined $plain_text;
  return $hash eq generate_MD5_hash($plain_text) ? 1 : 0;
}

sub decrypt {
    return '' unless $_[0] and $_[0] =~ m!^[A-Fa-f0-9]+$!;
    require Crypt::Blowfish;
    require Crypt::CBC;
    my $cipher = new Crypt::CBC( $key, 'Blowfish' )
    return $cipher->decrypt_hex($_[0]);
}

sub encrypt {
    return '' unless defined $_[0];
    require Crypt::Blowfish;
    require Crypt::CBC;
    my $cipher = new Crypt::CBC( $key, 'Blowfish' )
    return $cipher->encrypt_hex($_[0]);
}
[download]

cheers

tachyon