PHP Protect Get Post Cookie Values

If you are sure that GET/POST/COOKIE values are not modified by user, you may be able to reduce lots of overhead for checking values. This function provide means to make sure GET/POST/COOKIE values that are set by PHP programmer are not modified by users.

Code 1

Usage Example

<?php
// require_once 'session/session.php';
// require_once 'auth/Auth.class.php';
require_once 'security/input_check.php';
 
if (isset($_GET['showsource'])) {
    show_source('input_check.php');
    exit;
}
 
$msg = 'Values v1 to v3 is protected. You can change v4 and v5 as you want';
$values_protected = array('textfield1','textfield2','textfield3');
 
if (isset($_REQUEST['set'])) {
    $_REQUEST = init_hash($_REQUEST, $values_protected);
}
elseif (isset($_REQUEST['check'])) {
    if (check_hash($_REQUEST, $values_protected)) {
        $msg = 'Values are OK<br>';
    }
    else {
        $msg = '<b>WARNING: Values are modified</b><br>';
    }
}
else {
    $_REQUEST[HASH_NAME] = 'Eenter some value in v1,v2 or v3';
}
 
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=EUC-JP">
<title>protect server defined values</title>
</head>
<body bgcolor="#FFFFFF" text="#666666">
<p>This script show how check_input.php protects server defined values. Test script<br>
is protecting values v1 to v3 using CHAP like method.</p>
<p>Usage: Enter some values to v1 to v5 field and click &quot;set&quot; to set initial values.<br>
Then click &quot;check&quot; to verify if you can fake server. (You cannot)</p>
<p>
<?php echo $msg; ?>
</p>
<form method="post" name="test" action="input_check.php" >
<p>v1 
<input type="text" name="textfield1" value="<?php @print($_REQUEST['textfield1']); ?>">
<br>
v2 
<input type="text" name="textfield2" value="<?php @print($_REQUEST['textfield2']); ?>">
<br>
v3 
<input type="text" name="textfield3" value="<?php @print($_REQUEST['textfield3']); ?>">
<br>
v4 
<input type="text" name="textfield4" value="<?php @print($_REQUEST['textfield4']); ?>">
<br>
v5 
<input type="text" name="textfield5" value="<?php @print($_REQUEST['textfield5']); ?>">
</p>
<p> 
<input type="submit" name="set" value="set">
<input type="submit" name="check" value="check">
</p>
<p> digest value 
<input type="text" size="32" name="<?php echo HASH_NAME; ?>" value="<?php print($_REQUEST[HASH_NAME]); ?>">
</p>
</form>
<p>Why this is useful? This script is very useful in many situations. A example is<br>
multiple form entry. With these functions, you can check values in each page<br>
and use hidden inputs to save values. Another example is you can allow<br>
certain users to view specific page with specific time. This is very useful<br>
to display page that contains coupon information. You may be able to bypass<br>
complex authorization code and get better performance.</p>
<p>These are just examples and there are many other useful usage.<br>
Have fun.</p>
<p>&nbsp;</p>
</body>
</html>

Server Side Code

<?php
/*
 File: /security/check_input.php
 Author: yohgaki@ohgaki.net
 Version: 0.3
 
 These functions are used to protect programmer 
 defined vars.
 
 Values are secure for the same reason as CHAP,
 HTTP Digest Auth is secure.
 
 This version allows not only checks consistency, 
 but also can specify
 */
 
/** hash value name */
define('HASH_NAME','m');
/** Magic string. _KEEP THIS SECRET_  */
define('MAGIC','Some text cannot be guessed');
/** Magic life any */
define('MAGIC_LIFE_ANY',    0);
/** Magic life script */
define('MAGIC_LIFE_SCRIPT', 1);
/** Magic life user */
define('MAGIC_LIFE_USER',   2);
/** Magic life session */
define('MAGIC_LIFE_SESSION',4);
 
 
// {{{ init_hash()
/**
 * Init hash - add digest key=>value pair to hash
 * 
 * @param array $values array(key=>vlaue)
 * @param array $values_protected array(vlaue)
 * @param int $magic_life See magic().
 * @return array
 */
function init_hash($values,  $values_protected = null, $magic_life = MAGIC_LIFE_ANY) 
{
    assert(is_array($values));
    if ($values_protected)
        $vals = $values_protected;
    else
        $vals = array_keys($values);
 
    $str = '';
    foreach($vals as $k) 
    {
        if ($k === HASH_NAME)
            continue; // skip if there is hash
        $str .= $k.$values[$k];
    }
    //echo $str;
    $values[HASH_NAME] =md5($str.(magic($magic_life)));
    return $values;
}
// }}}
 
// {{{ check_hash()
/**
 * Check hash value with digest value
 *
 * @param array $values array(key=>vlaue)
 * @param array $values_protected array(vlaue)
 * @param int $magic_life See magic().
 * @return bool TRUE for ok, FALSE for NG
 */
function check_hash($values, $values_protected = null, $magic_life = MAGIC_LIFE_ANY) 
{
    assert(is_array($values));
    if (!isset($values[HASH_NAME])) {
        return false;
    }
    if ($values_protected)
        $vals = $values_protected;
    else
        $vals = array_keys($values);
 
    $str = '';
    foreach($vals as $k) 
    {
        if ($k === HASH_NAME)
            continue; // skip if there is hash
        $str .= $k.$values[$k];
    }
    $hash = md5($str.(magic($magic_life)));
    //echo $str;
    if ($values[HASH_NAME] !== $hash) {
        return false;
    }
    return true;
}
// }}}
 
 
// {{{ magic()
/**
 * Get magic string appropriate for current status
 * This function is made to check user input magic.
 *
 * @param integer $life magic's life time (See constant MAGIC_*)
 * @return string Magic string
 */
function magic($life = MAGIC_LIFE_ANY) 
{
    assert(is_integer($life));
    $magic = MAGIC; // static magic string
    if ($life & MAGIC_LIFE_SESSION)
        $magic .= session_id();
    if (($life & MAGIC_LIFE_USER) && is_object($_SESSION['auth']))
        $magic .= $_SESSION['auth']->st_uid; // This code assumes there is a auth object
    if ($life & MAGIC_LIFE_SCRIPT)
        $magic .= $_SERVER['PHP_SELF'];
    return $magic;
}
// }}}
 
?>

Client Side Code

Client side code is inherently insecure and error prone. It should be used to reduce load on server, and input verified by server. Please include server verification code also in this section.

Description, change title as needed

code goes here

Candidate Code Suggestions

Add your suggestions and links here.