Server-side encryption to prevent form hacking: new idea?
Server-side encryption to prevent form hacking: new idea?
am 11.12.2009 20:53:21 von Kelly Jones
If you have an HTML form select field xyz with possible values
"apple", "banana", and "cucumber", anyone can easily set xyz to an
arbitrary value.
To prevent this, I create a hidden field code[xyz] with value:
base64_encode(mcrypt_ecb(
MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENC RYPT));
where $salt is stored in a file outside my webroot.
and confirms xyz is really one of "apple", "banana", or "cucumber".
Obviously, this can be extended to other types of form fields, and the
check value can be a regular expression or even a function call.
Is this a new idea, or have people done this before?
--
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Server-side encryption to prevent form hacking: new idea?
am 11.12.2009 21:29:36 von Mattias Thorslund
Kelly Jones wrote:
> If you have an HTML form select field xyz with possible values
> "apple", "banana", and "cucumber", anyone can easily set xyz to an
> arbitrary value.
>
> To prevent this, I create a hidden field code[xyz] with value:
> base64_encode(mcrypt_ecb(
> MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENC RYPT));
>
> where $salt is stored in a file outside my webroot.
>
> The script receiving the POST data uses:
>
> mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt,
> base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT);
>
> and confirms xyz is really one of "apple", "banana", or "cucumber".
>
> Obviously, this can be extended to other types of form fields, and the
> check value can be a regular expression or even a function call.
>
> Is this a new idea, or have people done this before?
>
If the server-side script knows which values are expected, then there is
no need to send that to the client (browser) and back. If this is not
simply hard-coded in your script, you can keep it in a different file,
in a database, or in the session, depending on your particular
situation. For most of the fields, the number of acceptable values
aren't limited to a small set, so it's more practical to check for
expected length, data type, and escape the data before saving it.
Cheers,
Mattias
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Server-side encryption to prevent form hacking: new idea?
am 11.12.2009 21:34:01 von mike503
you don't necessarily need encryption, you could use digests instead
and issue a use-once ticket as well.
On Fri, Dec 11, 2009 at 12:29 PM, Mattias Thorslund wrote:
> Kelly Jones wrote:
>>
>> If you have an HTML form select field xyz with possible values
>> "apple", "banana", and "cucumber", anyone can easily set xyz to an
>> arbitrary value.
>>
>> To prevent this, I create a hidden field code[xyz] with value:
>> base64_encode(mcrypt_ecb(
>> Â MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRY PT_ENCRYPT))=
;
>>
>> where $salt is stored in a file outside my webroot.
>>
>> The script receiving the POST data uses:
>>
>> mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt,
>> Â base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT);
>>
>> and confirms xyz is really one of "apple", "banana", or "cucumber".
>>
>> Obviously, this can be extended to other types of form fields, and the
>> check value can be a regular expression or even a function call.
>>
>> Is this a new idea, or have people done this before?
>>
>
> If the server-side script knows which values are expected, then there is =
no
> need to send that to the client (browser) and back. If this is not simply
> hard-coded in your script, you can keep it in a different file, in a
> database, or in the session, depending on your particular situation. For
> most of the fields, the number of acceptable values aren't limited to a
> small set, so it's more practical to check for expected length, data type=
,
> and escape the data before saving it.
>
> Cheers,
>
> Mattias
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Server-side encryption to prevent form hacking: new idea?
am 11.12.2009 21:48:59 von Andrew Ballard
On Fri, Dec 11, 2009 at 3:34 PM, Michael Shadle wrote:
> On Fri, Dec 11, 2009 at 12:29 PM, Mattias Thorslund
> wrote:
>> Kelly Jones wrote:
>>>
>>> If you have an HTML form select field xyz with possible values
>>> "apple", "banana", and "cucumber", anyone can easily set xyz to an
>>> arbitrary value.
>>>
>>> To prevent this, I create a hidden field code[xyz] with value:
>>> base64_encode(mcrypt_ecb(
>>> Â MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRY PT_ENCRYPT)=
);
>>>
>>> where $salt is stored in a file outside my webroot.
>>>
>>> The script receiving the POST data uses:
>>>
>>> mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt,
>>> Â base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT);
>>>
>>> and confirms xyz is really one of "apple", "banana", or "cucumber".
[snip]
>>
>> If the server-side script knows which values are expected, then there is=
no
>> need to send that to the client (browser) and back. If this is not simpl=
y
>> hard-coded in your script, you can keep it in a different file, in a
>> database, or in the session, depending on your particular situation. For
>> most of the fields, the number of acceptable values aren't limited to a
>> small set, so it's more practical to check for expected length, data typ=
e,
>> and escape the data before saving it.
>>
>> Cheers,
>>
>> Mattias
> you don't necessarily need encryption, you could use digests instead
> and issue a use-once ticket as well.
>
Why is any of this necessary? Most of the time I build select lists
from arrays, so it is easy to test the value submitted by the client
to make sure it exists in the array without any encryption or hashing.
Am I missing something?
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Server-side encryption to prevent form hacking: new idea?
You can check whether the submitted value is valid or not, using the
following code:
*if ($_SERVER['REQUEST_METHOD'] == "POST") {
if (!in_array($_POST['city'], $cities) die('Invalid');
}
*
Hope this helps.
On Sat, Dec 12, 2009 at 12:18 AM, Andrew Ballard wrote:
> On Fri, Dec 11, 2009 at 3:34 PM, Michael Shadle wrote:
> > On Fri, Dec 11, 2009 at 12:29 PM, Mattias Thorslund
> > wrote:
> >> Kelly Jones wrote:
> >>>
> >>> If you have an HTML form select field xyz with possible values
> >>> "apple", "banana", and "cucumber", anyone can easily set xyz to an
> >>> arbitrary value.
> >>>
> >>> To prevent this, I create a hidden field code[xyz] with value:
> >>> base64_encode(mcrypt_ecb(
> >>> MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENC RYPT));
> >>>
> >>> where $salt is stored in a file outside my webroot.
> >>>
> >>> The script receiving the POST data uses:
> >>>
> >>> mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt,
> >>> base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT);
> >>>
> >>> and confirms xyz is really one of "apple", "banana", or "cucumber".
>
> [snip]
>
> >>
> >> If the server-side script knows which values are expected, then there is
> no
> >> need to send that to the client (browser) and back. If this is not
> simply
> >> hard-coded in your script, you can keep it in a different file, in a
> >> database, or in the session, depending on your particular situation. For
> >> most of the fields, the number of acceptable values aren't limited to a
> >> small set, so it's more practical to check for expected length, data
> type,
> >> and escape the data before saving it.
> >>
> >> Cheers,
> >>
> >> Mattias
> > you don't necessarily need encryption, you could use digests instead
> > and issue a use-once ticket as well.
> >
>
> Why is any of this necessary? Most of the time I build select lists
> from arrays, so it is easy to test the value submitted by the client
> to make sure it exists in the array without any encryption or hashing.
> Am I missing something?
>
> Andrew
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Kind regards,
-behzad
--0015175df034daf9d1047a86608c--
Re: Server-side encryption to prevent form hacking: newidea?
am 12.12.2009 16:07:43 von TedD
At 1:53 PM -0600 12/11/09, Kelly Jones wrote:
>-snip-
>
>Is this a new idea, or have people done this before?
Not a new idea, nor one that is useful -- no offense meant.
I can prevent form hacking by simply checking and scrubbing incoming
data without resorting to encryption.
Security techniques are very basic and it's probably best if you read
a book on the subject. I recommend Essential PHP Security by Chris
Shiflett. You can pick it up at Amazon for less than $20. It's a good
read with lot's of useful information.
The $20 bucks you spend on that will save you more in time than
trying to reinvent the security wheel.