Re: [PHP] Server-side encryption to prevent form hacking: new idea?
At 1:53 PM -0600 12/11/09, Kelly Jones wrote: -snip- Is this a new idea, or have people done this before? Not a new idea, nor one that is useful -- no offense meant. I can prevent form hacking by simply checking and scrubbing incoming data without resorting to encryption. Security techniques are very basic and it's probably best if you read a book on the subject. I recommend Essential PHP Security by Chris Shiflett. You can pick it up at Amazon for less than $20. It's a good read with lot's of useful information. The $20 bucks you spend on that will save you more in time than trying to reinvent the security wheel. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Server-side encryption to prevent form hacking: new idea?
Suppose you have the following array:
*
*
which is used to generate the following "Select":
*
Tehran
Isfahan
Tabriz
*
You can check whether the submitted value is valid or not, using the
following code:
*if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (!in_array($_POST['city'], $cities) die('Invalid');
}
*
Hope this helps.
On Sat, Dec 12, 2009 at 12:18 AM, Andrew Ballard wrote:
> On Fri, Dec 11, 2009 at 3:34 PM, Michael Shadle wrote:
> > On Fri, Dec 11, 2009 at 12:29 PM, Mattias Thorslund
> > wrote:
> >> Kelly Jones wrote:
> >>>
> >>> If you have an HTML form select field xyz with possible values
> >>> "apple", "banana", and "cucumber", anyone can easily set xyz to an
> >>> arbitrary value.
> >>>
> >>> To prevent this, I create a hidden field code[xyz] with value:
> >>> base64_encode(mcrypt_ecb(
> >>> MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENCRYPT));
> >>>
> >>> where $salt is stored in a file outside my webroot.
> >>>
> >>> The script receiving the POST data uses:
> >>>
> >>> mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt,
> >>> base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT);
> >>>
> >>> and confirms xyz is really one of "apple", "banana", or "cucumber".
>
> [snip]
>
> >>
> >> If the server-side script knows which values are expected, then there is
> no
> >> need to send that to the client (browser) and back. If this is not
> simply
> >> hard-coded in your script, you can keep it in a different file, in a
> >> database, or in the session, depending on your particular situation. For
> >> most of the fields, the number of acceptable values aren't limited to a
> >> small set, so it's more practical to check for expected length, data
> type,
> >> and escape the data before saving it.
> >>
> >> Cheers,
> >>
> >> Mattias
> > you don't necessarily need encryption, you could use digests instead
> > and issue a use-once ticket as well.
> >
>
> Why is any of this necessary? Most of the time I build select lists
> from arrays, so it is easy to test the value submitted by the client
> to make sure it exists in the array without any encryption or hashing.
> Am I missing something?
>
> Andrew
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Kind regards,
-behzad
Re: [PHP] Server-side encryption to prevent form hacking: new idea?
On Fri, Dec 11, 2009 at 3:34 PM, Michael Shadle wrote: > On Fri, Dec 11, 2009 at 12:29 PM, Mattias Thorslund > wrote: >> Kelly Jones wrote: >>> >>> If you have an HTML form select field xyz with possible values >>> "apple", "banana", and "cucumber", anyone can easily set xyz to an >>> arbitrary value. >>> >>> To prevent this, I create a hidden field code[xyz] with value: >>> base64_encode(mcrypt_ecb( >>> MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENCRYPT)); >>> >>> where $salt is stored in a file outside my webroot. >>> >>> The script receiving the POST data uses: >>> >>> mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt, >>> base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT); >>> >>> and confirms xyz is really one of "apple", "banana", or "cucumber". [snip] >> >> If the server-side script knows which values are expected, then there is no >> need to send that to the client (browser) and back. If this is not simply >> hard-coded in your script, you can keep it in a different file, in a >> database, or in the session, depending on your particular situation. For >> most of the fields, the number of acceptable values aren't limited to a >> small set, so it's more practical to check for expected length, data type, >> and escape the data before saving it. >> >> Cheers, >> >> Mattias > you don't necessarily need encryption, you could use digests instead > and issue a use-once ticket as well. > Why is any of this necessary? Most of the time I build select lists from arrays, so it is easy to test the value submitted by the client to make sure it exists in the array without any encryption or hashing. Am I missing something? Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Server-side encryption to prevent form hacking: new idea?
you don't necessarily need encryption, you could use digests instead and issue a use-once ticket as well. On Fri, Dec 11, 2009 at 12:29 PM, Mattias Thorslund wrote: > Kelly Jones wrote: >> >> If you have an HTML form select field xyz with possible values >> "apple", "banana", and "cucumber", anyone can easily set xyz to an >> arbitrary value. >> >> To prevent this, I create a hidden field code[xyz] with value: >> base64_encode(mcrypt_ecb( >> MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENCRYPT)); >> >> where $salt is stored in a file outside my webroot. >> >> The script receiving the POST data uses: >> >> mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt, >> base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT); >> >> and confirms xyz is really one of "apple", "banana", or "cucumber". >> >> Obviously, this can be extended to other types of form fields, and the >> check value can be a regular expression or even a function call. >> >> Is this a new idea, or have people done this before? >> > > If the server-side script knows which values are expected, then there is no > need to send that to the client (browser) and back. If this is not simply > hard-coded in your script, you can keep it in a different file, in a > database, or in the session, depending on your particular situation. For > most of the fields, the number of acceptable values aren't limited to a > small set, so it's more practical to check for expected length, data type, > and escape the data before saving it. > > Cheers, > > Mattias > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Server-side encryption to prevent form hacking: new idea?
Kelly Jones wrote: If you have an HTML form select field xyz with possible values "apple", "banana", and "cucumber", anyone can easily set xyz to an arbitrary value. To prevent this, I create a hidden field code[xyz] with value: base64_encode(mcrypt_ecb( MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENCRYPT)); where $salt is stored in a file outside my webroot. The script receiving the POST data uses: mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt, base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT); and confirms xyz is really one of "apple", "banana", or "cucumber". Obviously, this can be extended to other types of form fields, and the check value can be a regular expression or even a function call. Is this a new idea, or have people done this before? If the server-side script knows which values are expected, then there is no need to send that to the client (browser) and back. If this is not simply hard-coded in your script, you can keep it in a different file, in a database, or in the session, depending on your particular situation. For most of the fields, the number of acceptable values aren't limited to a small set, so it's more practical to check for expected length, data type, and escape the data before saving it. Cheers, Mattias -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Server-side encryption to prevent form hacking: new idea?
If you have an HTML form select field xyz with possible values "apple", "banana", and "cucumber", anyone can easily set xyz to an arbitrary value. To prevent this, I create a hidden field code[xyz] with value: base64_encode(mcrypt_ecb( MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENCRYPT)); where $salt is stored in a file outside my webroot. The script receiving the POST data uses: mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt, base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT); and confirms xyz is really one of "apple", "banana", or "cucumber". Obviously, this can be extended to other types of form fields, and the check value can be a regular expression or even a function call. Is this a new idea, or have people done this before? -- We're just a Bunch Of Regular Guys, a collective group that's trying to understand and assimilate technology. We feel that resistance to new ideas and technology is unwise and ultimately futile. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
