MD5 Hash

Often, I find it helpful to created MD5 hashes from data in my PowerSchool database.

There is a built-in javascript file (/admin/javascript/md5.js) that has functions to create md5 hashes...but using those functions just doesn't sit well with me.

Usually, you are creating an MD5 hash for some sort of security/quasi-encryption. Typically in those scenarios you are creating a hash from a number of values concatenated together.

{{Username}}+{{Timestamp}}+{{SecretKey}}

The whole point is that the secret key is secret -- known only by you and the web service you are passing the credentials off to. If you use javascript to create the MD5 hash, the secret has to be known to the user's web browser...it has to be embedded in the web page's source code and thus is easily discoverable.

A better solution

You don't want to have your secret key floating out there in your source code. You just don't.

So in these situations, I have my PowerSchool Oracle database create the md5 hash for me using ~[tlist_sql]. Your Oracle database has a built-in function that creates md5 hashes.

You'll notice that the "plaintext_secrete_key" is still hardcoded into your html code. However, thanks to PowerSchool's parsing, your ~[tlist_sql] query code is not readily available to your end user, so it's a bit more secure than simply hardcoding the secret key into your javascript code. Of course, an even better solution would be to store the secret key in your database itself and md5 the value in your query instead of a hardcoded string.