you have to modify the code which contains links to show_user.php to append the ckc
and you have to modify show_user.php as well to check for existence of GET variable ckc, and to verify that it is correct.
e.g. in list_all_users.php
$ckc = Digest::SHA1::sha1_hex($userid . "MyNastyLittleSecret");
$url .= "&ckc=$ckc";
and in show_user.php
if (!$ckc or $ckc ne Digest::SHA1::sha1_hex($userid . "MyNastyLittleSecret")) {
print "Cheater!";
die;
}
of course i don't know how you calculate the SHA1 hex in PHP. the above example is perl pseudo code. and make sure you code is not visible. if end users discover that your SHA1 "salt" is "MyNastyLittleSecret" they can manufacture URL's as before.
On 4/17/06, Orlando Andico <[EMAIL PROTECTED]> wrote:
instead of doing .../show_user.php?userid=12345
do the following:
.../show_user.php?userid=12345&ckc=ff4356fd
the "ckc" parameter is the SHA1 hex hash of the userid, concatenated to a secret key. this way, changing the userid will require recalculating the ckc. since your average end user doesn't know what SHA1 is, much less what the secret key is, their attempt will fail.
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
