By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,751 Members | 1,149 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,751 IT Pros & Developers. It's quick & easy.

validating post data origin

P: n/a
how can i validate reasonably safe that post data sent by a form is
sent by my form and not by anyone elses?

any help appreciated, micha
Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
ch*********@web.de (chotiwallah) pipotte et a dit :
how can i validate reasonably safe that post data sent by a form is
sent by my form and not by anyone elses?

any help appreciated, micha


Generate a md5sum key in your form, like

$key = md5($_SERVER["REMOTE_ADDR"]."my secret key");
echo "<input type='hidden' name='key' value='$key'>\n";
Then, when you receive the form, check

$key = md5($_SERVER["REMOTE_ADDR"]."my secret key");
if (md5($key) == $_POST['key']) { // or $_GET['key'] ?
//from your form
} else {
//from elsewhere
}

--
Julien CROUZET aka c2c Promo 2007
L'intelligence, c'est le seul outil qui permet à l'homme de mesurer
l'étendue de son malheur.
P. Desproges
Jul 17 '05 #2

P: n/a
Julien CROUZET aka c2c wrote:
ch*********@web.de (chotiwallah) pipotte et a dit :
how can i validate reasonably safe that post data sent by a form is
sent by my form and not by anyone elses?

any help appreciated, micha


Generate a md5sum key in your form, like

$key = md5($_SERVER["REMOTE_ADDR"]."my secret key");
echo "<input type='hidden' name='key' value='$key'>\n";


....would be subject to replay attacks. While a challenge based mechanism
would be better, it would equate to single-use passwords which can be
tricky to manage in a multi-user environment.

I use reversible encryption to pass the parameters:

class mm_encrypt
{
var $mm_use_key="MySecretKey";
var $td;
var $iv;
var $actual_key;

function mm_encrypt()
{
$this->td=mcrypt_module_open('tripledes', '', 'ecb', '');
$this->iv = mcrypt_create_iv
(mcrypt_enc_get_iv_size($this->td), MCRYPT_DEV_RANDOM);
$ks = mcrypt_enc_get_key_size ($this->td);
$this->actual_key=substr(md5($this->mm_use_key), 0, $ks);
mcrypt_generic_init($this->td, $this->actual_key,
$this->iv);
}

function destroy()
{
mcrypt_generic_deinit($this->td);
mcrypt_module_close($this->td);
}
function encrypt($data)
{
$encrypted=mcrypt_generic($this->td,$data);
return (base64_encode($encrypted));
}

function decrypt($data)
{
$data=base64_decode($data);
$decrypted=mdecrypt_generic($this->td, $data);
// there seems to be a bug in the mcrypt lib - it returns
// a longer string with the real data terminated by a \0
// char & crud after; need to truncate the PHP string
$len=strlen($decrypted)-1;
for($x=0; $x<=$len; $x++) {
if (ord(substr($decrypted, $x, 1))==0) {
$decrypted=substr($decrypted, 0, $x);
break;
}
}
return($decrypted);
}
}
Jul 17 '05 #3

P: n/a
Colin McKinnon <co**************@andthis.mms3.com> wrote in message news:<cb*******************@news.demon.co.uk>...
Julien CROUZET aka c2c wrote:
ch*********@web.de (chotiwallah) pipotte et a dit :
how can i validate reasonably safe that post data sent by a form is
sent by my form and not by anyone elses?

any help appreciated, micha


Generate a md5sum key in your form, like

$key = md5($_SERVER["REMOTE_ADDR"]."my secret key");
echo "<input type='hidden' name='key' value='$key'>\n";


...would be subject to replay attacks. While a challenge based mechanism
would be better, it would equate to single-use passwords which can be
tricky to manage in a multi-user environment.

I use reversible encryption to pass the parameters:

class mm_encrypt
{
var $mm_use_key="MySecretKey";
var $td;
var $iv;
var $actual_key;

function mm_encrypt()
{
$this->td=mcrypt_module_open('tripledes', '', 'ecb', '');
$this->iv = mcrypt_create_iv
(mcrypt_enc_get_iv_size($this->td), MCRYPT_DEV_RANDOM);
$ks = mcrypt_enc_get_key_size ($this->td);
$this->actual_key=substr(md5($this->mm_use_key), 0, $ks);
mcrypt_generic_init($this->td, $this->actual_key,
$this->iv);
}

function destroy()
{
mcrypt_generic_deinit($this->td);
mcrypt_module_close($this->td);
}
function encrypt($data)
{
$encrypted=mcrypt_generic($this->td,$data);
return (base64_encode($encrypted));
}

function decrypt($data)
{
$data=base64_decode($data);
$decrypted=mdecrypt_generic($this->td, $data);
// there seems to be a bug in the mcrypt lib - it returns
// a longer string with the real data terminated by a \0
// char & crud after; need to truncate the PHP string
$len=strlen($decrypted)-1;
for($x=0; $x<=$len; $x++) {
if (ord(substr($decrypted, $x, 1))==0) {
$decrypted=substr($decrypted, 0, $x);
break;
}
}
return($decrypted);
}
}


mcrypt sound like what i need. i haven't tried it out yet, but thanks anyway

micha
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.