Solved

security: how to detect where user comes from..

Posted on 2004-05-01
3
204 Views
Last Modified: 2011-09-20
hi everyone,

i am struggling with the following. I have a flashfile from wich i call a script called
main.php. This file is called upon like this: main.php?action=delete&Id=1 etc.

But when i call this file directly in a browser it also works, that is a potential security risk.
From flash i can send a string along, but when i look in the history of my browser, it shows
the whole url and string...

So my question is: can i detect if the user comes from the flashfile? if yes, then execute
the .php script, if not, redirect to somewhere else.

Thanks in advance,

derek
0
Comment
Question by:dwax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Expert Comment

by:yavosh
ID: 10968805
You could use the $_SERVER['HTTP_REFERER'] variable to check for the flash file but this can easily be forged and is not very reliable.

second option, you could use post to send a password to the flash file (an not sure how this would work from flash)

a third option is to use some sort of challenge responce system but this might be a bit of an over kill, here is how such a system might work

first time you connect to the script you get a session id back.

you use a secret password to hash the session id. the most common hash function is md5, there should be an implementation in flash for it.

so
$challenge = md5($sessionid, 'secret');

when you send the script the correct challenge you get your desired output. in such a way your password (secret) is never transmitted in the clear. the only security problem might appear if some one hijacks the session

yavor
0
 

Author Comment

by:dwax
ID: 10975145
Hi yavor,

thanks for your respons... What do you think of the following:

I get a password from Mysql wich is MD5, when i retrieve it, i leave the MD5 encryption intact,
then i get something like '`1453245hjgjh43545', or whatever. I read this into flash, still leaving the
MD5 intact. When i call the .php script from flash i use something like this:

main.php?action=delete&ID=1&pass=asdsd987sad8sdasd

In the beginning of main.php i decrypt the MD5 password. et  voila?

Is this possible, and safe? Or can anyone copy and paste the encrypted MD5 into a .php script and decrypt it?

like to hear your opinion,

regards,

derek
0
 
LVL 2

Accepted Solution

by:
ramonklown earned 105 total points
ID: 10995661
If you don´t trust mysql databases then why are you working with them in the first place? It´s an obvious answer to your MD5 question.

And plus there are hundreds of MD5 decryptors so you can specify to a specify encrytion but the decryptor will decrypt anyways. So if the guys has all the trouble to get there and the knowledge ofcouse he is gonna have a decrypting program. Or he can make a script himself to decrypt.

There are like 30 - 50 default different encryptions (Í´ve read about this a long time ago). But ofcourse you can make your own.


***The best way to keep things safe are session vars.

you create a session variable
$query = mysql_query("select * from database where user='$_POST[user] AND pass='$_POST[pass]'");
$check = mysql_num_rows($query);

if ($check > 0) {
session_start();
$_SESSION['username'] = $_POST['email'];
}

/*on the next page, registered is if he already filledout form and status is if his email is valid*/
if ($_SESSION['username']) {
session_start();
$query = ("select * from database where user='$_SESSION['username']' AND registered='1' AND status='1'");
$check = mysql_num_rows($query);
if ($check) {
//page content
}
else { include("error.php"); }
}
else {include ("error.php");}
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article discusses how to implement server side field validation and display customized error messages to the client.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question