So let's say I have "site1.mysite.com", "site2.mysite.com", etc. I want people (developers) to access some of the data via PHP generated JSON, but I also don't want to have to set up user accounts, sign ins, blah blah blah.
I don't want it to be open for "everybody".
What I started doing was this:
Users need to add "&user=somethingigivethem" and "key=somethingelseigivethem". These are values I provide to the user.
The key is currently the MD5 hash of the "user" and something like "53CR37P$%%" so basically:
$key_validator = md5($_GET['user'].'53CR37P$%%');
if($_GET['key'] === $key_validator){
//show JSON
} else {
//show error
}
Are there any major flaws in doing it this way?
So basically, if Joe Developer wants access, you give him a username and a key (which is an MD5 hash of his name + your salt). Joe can then make requests to your data.
If Joe wants to (ie. takes the time) he can probably figure out your hashing scheme just by trying different combinations of his username & salt values. And once he does, he'll know your salt and can access any other user's data.
I guess the question is: how valuable is this data? If you don't really care if other people get access and you really just want to keep out people who aren't too motivated to get your data, then this will work.
You could always combine an md5 and sha1 values with a randomized salt and also include your original salt value.
Example:
$key_validator = md5(sha1($_GET['user'].rand(0,1000)).'53CR37P$%%');
A little bit harder to crack, but you get the picture.
If I understood well, you generate both user and key for the user. So the user have not to register and not to create it's own combination.
Making a key based on the user may be predictable quite easily, and overall with MD5.
I would recommend 2 ways:
If you really do not want to use your own database, generate a password based on better encryption system so people cant peak around the seed and encryption formula (after all, makeing a md5 with the seed inside is a sort of "having the key into the password itself", no good) Better encryption system supported by php: mainly all :) (you may need to install mcrypt extension) (support tens of encryptions, including most current like DES, 3DES, CAST, 2FISH, etc)
If you have no problem in using a database (or why not, a local file having the username/password pairs) , just generate a random strong password and keep the pairs in your database, and then just check against your stored values to give access, you still dont ask to the user to "register"
Oh, and don't forget, MD5 is only one way encryption, while real encryption with 3DES etc is reversible, so you can also compare things against real value.