validating post data origin

Re: validating post data origin

chotiwallah@web .de (chotiwallah) pipotte et a dit :
[color=blue]
> how can i validate reasonably safe that post data sent by a form is
> sent by my form and not by anyone elses?
>
> any help appreciated, micha[/color]

Generate a md5sum key in your form, like

$key = md5($_SERVER["REMOTE_ADD R"]."my secret key");
echo "<input type='hidden' name='key' value='$key'>\n ";


Then, when you receive the form, check

$key = md5($_SERVER["REMOTE_ADD R"]."my secret key");
if (md5($key) == $_POST['key']) { // or $_GET['key'] ?
//from your form
} else {
//from elsewhere
}

--
Julien CROUZET aka c2c Promo 2007
L'intelligence, c'est le seul outil qui permet à l'homme de mesurer
l'étendue de son malheur.
P. Desproges

Re: validating post data origin

Julien CROUZET aka c2c wrote:
[color=blue]
> chotiwallah@web .de (chotiwallah) pipotte et a dit :
>[color=green]
>> how can i validate reasonably safe that post data sent by a form is
>> sent by my form and not by anyone elses?
>>
>> any help appreciated, micha[/color]
>
> Generate a md5sum key in your form, like
>
> $key = md5($_SERVER["REMOTE_ADD R"]."my secret key");
> echo "<input type='hidden' name='key' value='$key'>\n ";
>[/color]

....would be subject to replay attacks. While a challenge based mechanism
would be better, it would equate to single-use passwords which can be
tricky to manage in a multi-user environment.

I use reversible encryption to pass the parameters:

class mm_encrypt
{
var $mm_use_key="My SecretKey";
var $td;
var $iv;
var $actual_key;

function mm_encrypt()
{
$this->td=mcrypt_modu le_open('triple des', '', 'ecb', '');
$this->iv = mcrypt_create_i v
(mcrypt_enc_get _iv_size($this->td), MCRYPT_DEV_RAND OM);
$ks = mcrypt_enc_get_ key_size ($this->td);
$this->actual_key=sub str(md5($this->mm_use_key), 0, $ks);
mcrypt_generic_ init($this->td, $this->actual_key,
$this->iv);
}

function destroy()
{
mcrypt_generic_ deinit($this->td);
mcrypt_module_c lose($this->td);
}
function encrypt($data)
{
$encrypted=mcry pt_generic($thi s->td,$data);
return (base64_encode( $encrypted));
}

function decrypt($data)
{
$data=base64_de code($data);
$decrypted=mdec rypt_generic($t his->td, $data);
// there seems to be a bug in the mcrypt lib - it returns
// a longer string with the real data terminated by a \0
// char & crud after; need to truncate the PHP string
$len=strlen($de crypted)-1;
for($x=0; $x<=$len; $x++) {
if (ord(substr($de crypted, $x, 1))==0) {
$decrypted=subs tr($decrypted, 0, $x);
break;
}
}
return($decrypt ed);
}
}

Re: validating post data origin

Colin McKinnon <colin.deleteth is@andthis.mms3 .com> wrote in message news:<cbc53m$86 5$1$830fa79d@ne ws.demon.co.uk> ...[color=blue]
> Julien CROUZET aka c2c wrote:
>[color=green]
> > chotiwallah@web .de (chotiwallah) pipotte et a dit :
> >[color=darkred]
> >> how can i validate reasonably safe that post data sent by a form is
> >> sent by my form and not by anyone elses?
> >>
> >> any help appreciated, micha[/color]
> >
> > Generate a md5sum key in your form, like
> >
> > $key = md5($_SERVER["REMOTE_ADD R"]."my secret key");
> > echo "<input type='hidden' name='key' value='$key'>\n ";
> >[/color]
>
> ...would be subject to replay attacks. While a challenge based mechanism
> would be better, it would equate to single-use passwords which can be
> tricky to manage in a multi-user environment.
>
> I use reversible encryption to pass the parameters:
>
> class mm_encrypt
> {
> var $mm_use_key="My SecretKey";
> var $td;
> var $iv;
> var $actual_key;
>
> function mm_encrypt()
> {
> $this->td=mcrypt_modu le_open('triple des', '', 'ecb', '');
> $this->iv = mcrypt_create_i v
> (mcrypt_enc_get _iv_size($this->td), MCRYPT_DEV_RAND OM);
> $ks = mcrypt_enc_get_ key_size ($this->td);
> $this->actual_key=sub str(md5($this->mm_use_key), 0, $ks);
> mcrypt_generic_ init($this->td, $this->actual_key,
> $this->iv);
> }
>
> function destroy()
> {
> mcrypt_generic_ deinit($this->td);
> mcrypt_module_c lose($this->td);
> }
> function encrypt($data)
> {
> $encrypted=mcry pt_generic($thi s->td,$data);
> return (base64_encode( $encrypted));
> }
>
> function decrypt($data)
> {
> $data=base64_de code($data);
> $decrypted=mdec rypt_generic($t his->td, $data);
> // there seems to be a bug in the mcrypt lib - it returns
> // a longer string with the real data terminated by a \0
> // char & crud after; need to truncate the PHP string
> $len=strlen($de crypted)-1;
> for($x=0; $x<=$len; $x++) {
> if (ord(substr($de crypted, $x, 1))==0) {
> $decrypted=subs tr($decrypted, 0, $x);
> break;
> }
> }
> return($decrypt ed);
> }
> }[/color]



mcrypt sound like what i need. i haven't tried it out yet, but thanks anyway

micha