Differences

This shows you the differences between two versions of the page.

Link to this comparison view

computers:php_protect_get_post_cookie_values [2015/03/24 05:42]
computers:php_protect_get_post_cookie_values [2015/03/24 05:42] (current)
Line 1: Line 1:
 +====== PHP Protect Get Post Cookie Values ======
 +If you are sure that GET/​POST/​COOKIE values are not modified by user, you may be able to reduce lots of overhead for checking values. This function provide means to make sure GET/​POST/​COOKIE values that are set by PHP programmer are not modified by users.
  
 +====== Code 1 ======
 +Description
 +
 +Reference: [[http://​www.zend.com/​code/​codex.php?​id=626&​single=1]]
 +
 +==== Usage Example ====
 +<code php> ​
 +<?php
 +// require_once '​session/​session.php';​
 +// require_once '​auth/​Auth.class.php';​
 +require_once '​security/​input_check.php';​
 +
 +if (isset($_GET['​showsource'​])) {
 +    show_source('​input_check.php'​);​
 +    exit;
 +}
 +
 +$msg = '​Values v1 to v3 is protected. You can change v4 and v5 as you want';
 +$values_protected = array('​textfield1','​textfield2','​textfield3'​);​
 +
 +if (isset($_REQUEST['​set'​])) {
 +    $_REQUEST = init_hash($_REQUEST,​ $values_protected);​
 +}
 +elseif (isset($_REQUEST['​check'​])) {
 +    if (check_hash($_REQUEST,​ $values_protected)) {
 +        $msg = '​Values are OK<​br>';​
 +    }
 +    else {
 +        $msg = '<​b>​WARNING:​ Values are modified</​b><​br>';​
 +    }
 +}
 +else {
 +    $_REQUEST[HASH_NAME] = '​Eenter some value in v1,v2 or v3';
 +}
 +    ​
 +?>
 +<​html>​
 +<​head>​
 +<meta http-equiv="​Content-Type"​ content="​text/​html;​ charset=EUC-JP">​
 +<​title>​protect server defined values</​title>​
 +</​head>​
 +<body bgcolor="#​FFFFFF"​ text="#​666666">​
 +<​p>​This script show how check_input.php protects server defined values. Test script<​br>​
 +is protecting values v1 to v3 using CHAP like method.</​p>​
 +<​p>​Usage:​ Enter some values to v1 to v5 field and click &​quot;​set&​quot;​ to set initial values.<​br>​
 +Then click &​quot;​check&​quot;​ to verify if you can fake server. (You cannot)</​p>​
 +<p>
 +<?php echo $msg; ?>
 +</p>
 +<form method="​post"​ name="​test"​ action="​input_check.php"​ >
 +<​p>​v1 ​
 +<input type="​text"​ name="​textfield1"​ value="<?​php @print($_REQUEST['​textfield1'​]);​ ?>">​
 +<br>
 +v2 
 +<input type="​text"​ name="​textfield2"​ value="<?​php @print($_REQUEST['​textfield2'​]);​ ?>">​
 +<br>
 +v3 
 +<input type="​text"​ name="​textfield3"​ value="<?​php @print($_REQUEST['​textfield3'​]);​ ?>">​
 +<br>
 +v4 
 +<input type="​text"​ name="​textfield4"​ value="<?​php @print($_REQUEST['​textfield4'​]);​ ?>">​
 +<br>
 +v5 
 +<input type="​text"​ name="​textfield5"​ value="<?​php @print($_REQUEST['​textfield5'​]);​ ?>">​
 +</p>
 +<​p> ​
 +<input type="​submit"​ name="​set"​ value="​set">​
 +<input type="​submit"​ name="​check"​ value="​check">​
 +</p>
 +<p> digest value 
 +<input type="​text"​ size="​32"​ name="<?​php echo HASH_NAME; ?>" value="<?​php print($_REQUEST[HASH_NAME]);​ ?>">​
 +</p>
 +</​form>​
 +<​p>​Why this is useful? This script is very useful in many situations. A example is<​br>​
 +multiple form entry. With these functions, you can check values in each page<​br>​
 +and use hidden inputs to save values. Another example is you can allow<​br>​
 +certain users to view specific page with specific time. This is very useful<​br>​
 +to display page that contains coupon information. You may be able to bypass<​br>​
 +complex authorization code and get better performance.</​p>​
 +<​p>​These are just examples and there are many other useful usage.<​br>​
 +Have fun.</​p>​
 +<​p>&​nbsp;</​p>​
 +</​body>​
 +</​html>​
 +
 +</​code>​
 +
 +==== Server Side Code  ====
 +
 +<code php>
 +<?php
 +/*
 + File: /​security/​check_input.php
 + ​Author:​ yohgaki@ohgaki.net
 + ​Version:​ 0.3
 +
 + These functions are used to protect programmer ​
 + ​defined vars.
 + 
 + ​Values are secure for the same reason as CHAP,
 + HTTP Digest Auth is secure.
 +
 + This version allows not only checks consistency, ​
 + but also can specify
 + */
 +
 +/** hash value name */
 +define('​HASH_NAME','​m'​);​
 +/** Magic string. _KEEP THIS SECRET_ ​ */
 +define('​MAGIC','​Some text cannot be guessed'​);​
 +/** Magic life any */
 +define('​MAGIC_LIFE_ANY', ​   0);
 +/** Magic life script */
 +define('​MAGIC_LIFE_SCRIPT',​ 1);
 +/** Magic life user */
 +define('​MAGIC_LIFE_USER', ​  2);
 +/** Magic life session */
 +define('​MAGIC_LIFE_SESSION',​4);​
 +
 +
 +// {{{ init_hash()
 +/**
 + * Init hash - add digest key=>​value pair to hash
 + ​* ​
 + * @param array $values array(key=>​vlaue)
 + * @param array $values_protected array(vlaue)
 + * @param int $magic_life See magic().
 + * @return array
 + */
 +function init_hash($values, ​ $values_protected = null, $magic_life = MAGIC_LIFE_ANY) ​
 +{
 +    assert(is_array($values));​
 +    if ($values_protected)
 +        $vals = $values_protected;​
 +    else
 +        $vals = array_keys($values);​
 +    ​
 +    $str = '';​
 +    foreach($vals as $k) 
 +    {
 +        if ($k === HASH_NAME)
 +            continue; // skip if there is hash
 +        $str .= $k.$values[$k];​
 +    }
 +    //echo $str;
 +    $values[HASH_NAME] =md5($str.(magic($magic_life)));​
 +    return $values;
 +}
 +// }}}
 +
 +// {{{ check_hash()
 +/**
 + * Check hash value with digest value
 + *
 + * @param array $values array(key=>​vlaue)
 + * @param array $values_protected array(vlaue)
 + * @param int $magic_life See magic().
 + * @return bool TRUE for ok, FALSE for NG
 + */
 +function check_hash($values,​ $values_protected = null, $magic_life = MAGIC_LIFE_ANY) ​
 +{
 +    assert(is_array($values));​
 +    if (!isset($values[HASH_NAME])) {
 +        return false;
 +    }
 +    if ($values_protected)
 +        $vals = $values_protected;​
 +    else
 +        $vals = array_keys($values);​
 +
 +    $str = '';​
 +    foreach($vals as $k) 
 +    {
 +        if ($k === HASH_NAME)
 +            continue; // skip if there is hash
 +        $str .= $k.$values[$k];​
 +    }
 +    $hash = md5($str.(magic($magic_life)));​
 +    //echo $str;
 +    if ($values[HASH_NAME] !== $hash) {
 +        return false;
 +    }
 +    return true;
 +}
 +// }}}
 +
 +
 +// {{{ magic()
 +/**
 + * Get magic string appropriate for current status
 + * This function is made to check user input magic.
 + *
 + * @param integer $life magic'​s life time (See constant MAGIC_*)
 + * @return string Magic string
 + */
 +function magic($life = MAGIC_LIFE_ANY) ​
 +{
 +    assert(is_integer($life));​
 +    $magic = MAGIC; // static magic string
 +    if ($life & MAGIC_LIFE_SESSION)
 +        $magic .= session_id();​
 +    if (($life & MAGIC_LIFE_USER) && is_object($_SESSION['​auth'​]))
 +        $magic .= $_SESSION['​auth'​]->​st_uid;​ // This code assumes there is a auth object
 +    if ($life & MAGIC_LIFE_SCRIPT)
 +        $magic .= $_SERVER['​PHP_SELF'​];​
 +    return $magic;
 +}
 +// }}}
 +
 +?> 
 +
 +</​code>​
 +
 +==== Client Side Code ====
 +Client side code is inherently insecure and error prone. ​ It should be used to reduce load on server, and input verified ​ by server. ​ Please include server verification code also in this section.
 +
 +Description,​ change title as needed
 +
 +<code javascript>​
 +code goes here
 +
 +</​code>​
 +
 +
 +====== Candidate Code Suggestions ======
 +Add your suggestions and links here.