473,320 Members | 1,936 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Passing secure data with $_SESSION

bugboy
160 100+
Hi everybody,

I need to pass a secure key around in a session variable and i'm having trouble finding a manual that gives me a clear idea as to what is happening with, and how to use sha1().

When the user logs in their static key is retrieved from the db and then this key is passed around in the session and is used in every query that the user makes on the db. Like so.

Expand|Select|Wrap|Line Numbers
  1. SELECT * FROM table WHERE 'name' = 'joe' AND 'key' = sha1(numerickey);
I guess i just don't understand how sha1() works. Can anyone help explain it to me? or.. give me a better idea as to how to filter db results with a secure 'key' that blocks results not belonging to the user.

Thanks in advance!
Dec 11 '07 #1
3 1367
brettl
41
You may not want to use SHA hash for this. I guess it all depends on how sensitive the data you are trying to protect is.

Note

Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead.
You can find more information on SHA1 and other methods of encryption here:
MySQL encryption methods
and
PHP SHA1
and
PHP Hash

Hope this helps.
Dec 11 '07 #2
clai83
41
SHA1 is a hashing algorithm. There are know vulnerabilities now for this algorithm, but I believe that it takes a lot of processing power. Though vulnerabilities are know, these I believe are related to finding collisions and not actual decryption. People are being recommended to go with the SHA2 variants now. You can read about SHA algorithms on wikipedia. There is some pseudo-code for you to look at. If you are looking to decrypt a key then SHA1 is not for you. It is not a reversable hashing method.

If you want to see if a key that a user has is the same as a SHA1 version of that key in the database then simple SHA1($key) and use that to compare to the database.

Why this works is being, SHA generates a unique key for a unique entry, with certain limits of course. There are collisions but they are rare.

hope that helps
Dec 12 '07 #3
bugboy
160 100+
Thanks guys.. good to know. I'm going to explain what i need a little better. Perhaps there is a completely different way i need to approach this:

I'm trying to create something like Flickr's private, public or group photos where you can have data and assign permissions to it. Where either only you can see it, or everyone can see it or only a specific group of people can see it.

What i need:
• I have a table that holds personal data for many people.
• Each person can only see the rows assigned to them.
• Some rows are assigned to more than one person.
• There are many millions of rows.

The way i'm proposing:
Really i should be creating a foreign key table to define the relationships between users and the data but the relations table would be huge because millions of rows in the main table may be assigned to hundreds of people.

What i'm thinking of doing is simply putting a key value in each row which can be used to filter the results returning only those rows assigned to the key holder.

Each user has several keys associated with their profile one for each group of people they share data with.

Users don't even know the keys exist.

When a user logs in a session is created and their keys are retreived from the db and held as a session variable to be inserted into any query on the db.

The keys held in the session are then used in the query to filter out only those rows that are assigned to any of the keys the user holds.

The problem:
I'm worried that someone will be able to figure out what someone else's key is from the session data and access someone else's rows.

or maybe i'm being dumb and there is a simpler or more efficient way to do it?
Dec 12 '07 #4

Sign in to post your reply or Sign up for a free account.

Similar topics

5
by: Paul | last post by:
I want to use sessions to cover myself in case the user switches off cookies so I am passing the session ID manually through a hidden input field. This is what I have so far. index.php page...
1
by: Paul | last post by:
Hmmm, didn't seem to work. I have set session.use_cookies = 1 and session.use_trans_sid = 1 in my php.ini file. Index.php contains:...
1
by: deko | last post by:
I use a download script to allow users to download files that are not in a publicly accessible directory. The files should only be downloadable from a secure page which only authenticated users...
11
by: comp.lang.php | last post by:
On one of my sites, I have a TCL CGI script that has a security hole in spite of it having effective server-side validation (the fact that it's CGI IS its security hole). The front end is a PHP...
6
by: Notgiven | last post by:
I am considering a large project and they currently use LDAP on MS platform. It would be moved to a LAMP platform. OpenLDAP is an option though I have not used it before. I do feel fairly...
14
by: knal | last post by:
Hi there, I'm looking for a secure login script for a sort-of-community site... (PHP, MySQL, sessions, or maybe something else ... ) I know there are a lot of scripts out there, but none of them...
22
by: K. A. | last post by:
I have two servers at work, 'A' for testing and development, and server 'B' for production. On server A, I wrote a PHP test code to login users then direct them to a personalized page. This is...
1
SHOverine
by: SHOverine | last post by:
Recently my web host decided to "upgrade". This change rendered many of my pages useless and I am scrambling to fix the issues, so you may see several posts from me in the coming days. My first...
25
by: Geoff Cox | last post by:
Hello, The following <frame src="topbar-frameset.php?newVar=<?php echo $groups; ?>"> passes the value of the variable $groups from a php file to the top page in a frameset but how do I...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.