Thanks for the tip Ovid. I use a similar scheme sometimes myself. I learned about this from
Writing Apache modules, page 213. In the explanation, they say that you should run the MD5 algorithm
twice or "Otherwise, a technically savvy user could take advantage of one of the mathematical properties of the algorithm to append his own data to the end of the fields". They give this example:
$MAC = MD5->hashhex($secret .
MD5->hashex(join '',$secret, @fields) );