sort of argument verifier

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Let's say I've a page which is called with arguments a, b and c


but, i don't want to allow anyone to modify either val_a, val_b or

I thought it would be a good idea, to add another argument which could
combines (through some algorithm) val_a, val_b and val_c, and check it
every time the page is called.

I was wondering whether any of this exists already. I don't want to
reinvent the wheel, you know...

regards - jm

Re: sort of argument verifier

Quoted text here. Click to load it

Try this:  combine a, b, c, and some secret string into one string.
(e.g. concatenate them in a specific order with comma separators).
Compute a hash (e.g. md5()) of this string.  This is your
additional argument.  Check them the same way.

Since your secret string never leaves the server, the attacker
doesn't know it (even if he does know the method used to construct
the hash).  It's supposed to be difficult to generate collisions
(two different strings that have the same hash).

Some warnings:  be sure that there aren't other ways of constructing
your combination string.  For example, with comma separators, someone
could change  
    a=1,2 b=3 c=4
    a=1 b=2,3 c=4
and keep the same hash, so it's a good idea to use a separator that
can't be a legitimate part of the string.  Beware of HTTP munging
the arguments (e.g. going out a had the value a singlequote b
and coming back in it might have the value a percentsign 2 7 b)
which will mess up your hash.

Realize that an attacker can replay any combination of arguments you've
ever generated a hash for if they can sniff your server traffic.

                    Gordon L. Burditt

Re: sort of argument verifier

Quoted text here. Click to load it

sha1, but add it a 'secret value' too.
sha1 is fairly well known but the secret will stop others from forging them.


Re: sort of argument verifier

Following on from julian_m's message. . .
Quoted text here. Click to load it
Whilst normally it would be an excellent idea to abstract the issue as  
you have done, the nature of the values and the context will help us  
here to give you a more informed choice.

In the abstract:
* 'checksum'
* pack and obfuscate
* store a,b,c in array in session indexed by random key
* validate the input _as is_ and chuck out ones you don't like and if  
somebody has altered &a=red to &a=pink well then that's up to them  
either it works or it doesn't.
* change your page calling scheme/data model

PETER FOX Not the same since the exam marking business failed
2 Tees Close, Witham, Essex.
Gravity beer in Essex  <

Re: sort of argument verifier

Kimmo Laine wrote:
Quoted text here. Click to load it

Unless next_page.php generates PHP, the script with this include will
only get HTML.

Quoted text here. Click to load it


    if (isset($_GET['foo'])) {
      echo '<?php echo $_GET[\'foo\']; ?>';
    } else {
      echo '<?php echo \'Not available\'; ?>';

File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot

Site Timeline