Hi, I am passing an ID and username through GET, however it could easily be changed. I want to say md5() it, but then I couldn't dehash it. Right now I am just adding a high number to the ID and then subtracting it on the other end. But is there a better way?
HASHERS by definition can't be "unhashed" otherwise they wouldn't be hashers. But why do you have to use GET anyway? For anything login related I'd use either POST or session ids. On another note: Even if you md5() the passwords you can just md5() the stored passwords as well. Then you compare the hashed versions which is a lot better.
Hmmm... I'm a little curious: you don't want to pass the value itself through GET because it's unsafe, but are happy to pass a symmetric encryption by the same process? If it's symmetric, you don't really offer any more security... you just add another hurdle. So yeah, it's no more safer, really. Do as Icheb suggested: use sessions and get it over and done with.