• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 207
  • Last Modified:

security: how to detect where user comes from..

hi everyone,

i am struggling with the following. I have a flashfile from wich i call a script called
main.php. This file is called upon like this: main.php?action=delete&Id=1 etc.

But when i call this file directly in a browser it also works, that is a potential security risk.
From flash i can send a string along, but when i look in the history of my browser, it shows
the whole url and string...

So my question is: can i detect if the user comes from the flashfile? if yes, then execute
the .php script, if not, redirect to somewhere else.

Thanks in advance,

derek
0
dwax
Asked:
dwax
1 Solution
 
yavoshCommented:
You could use the $_SERVER['HTTP_REFERER'] variable to check for the flash file but this can easily be forged and is not very reliable.

second option, you could use post to send a password to the flash file (an not sure how this would work from flash)

a third option is to use some sort of challenge responce system but this might be a bit of an over kill, here is how such a system might work

first time you connect to the script you get a session id back.

you use a secret password to hash the session id. the most common hash function is md5, there should be an implementation in flash for it.

so
$challenge = md5($sessionid, 'secret');

when you send the script the correct challenge you get your desired output. in such a way your password (secret) is never transmitted in the clear. the only security problem might appear if some one hijacks the session

yavor
0
 
dwaxAuthor Commented:
Hi yavor,

thanks for your respons... What do you think of the following:

I get a password from Mysql wich is MD5, when i retrieve it, i leave the MD5 encryption intact,
then i get something like '`1453245hjgjh43545', or whatever. I read this into flash, still leaving the
MD5 intact. When i call the .php script from flash i use something like this:

main.php?action=delete&ID=1&pass=asdsd987sad8sdasd

In the beginning of main.php i decrypt the MD5 password. et  voila?

Is this possible, and safe? Or can anyone copy and paste the encrypted MD5 into a .php script and decrypt it?

like to hear your opinion,

regards,

derek
0
 
ramonklownCommented:
If you don´t trust mysql databases then why are you working with them in the first place? It´s an obvious answer to your MD5 question.

And plus there are hundreds of MD5 decryptors so you can specify to a specify encrytion but the decryptor will decrypt anyways. So if the guys has all the trouble to get there and the knowledge ofcouse he is gonna have a decrypting program. Or he can make a script himself to decrypt.

There are like 30 - 50 default different encryptions (Í´ve read about this a long time ago). But ofcourse you can make your own.


***The best way to keep things safe are session vars.

you create a session variable
$query = mysql_query("select * from database where user='$_POST[user] AND pass='$_POST[pass]'");
$check = mysql_num_rows($query);

if ($check > 0) {
session_start();
$_SESSION['username'] = $_POST['email'];
}

/*on the next page, registered is if he already filledout form and status is if his email is valid*/
if ($_SESSION['username']) {
session_start();
$query = ("select * from database where user='$_SESSION['username']' AND registered='1' AND status='1'");
$check = mysql_num_rows($query);
if ($check) {
//page content
}
else { include("error.php"); }
}
else {include ("error.php");}
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now