Solved

security: how to detect where user comes from..

Posted on 2004-05-01
3
200 Views
Last Modified: 2011-09-20
hi everyone,

i am struggling with the following. I have a flashfile from wich i call a script called
main.php. This file is called upon like this: main.php?action=delete&Id=1 etc.

But when i call this file directly in a browser it also works, that is a potential security risk.
From flash i can send a string along, but when i look in the history of my browser, it shows
the whole url and string...

So my question is: can i detect if the user comes from the flashfile? if yes, then execute
the .php script, if not, redirect to somewhere else.

Thanks in advance,

derek
0
Comment
Question by:dwax
3 Comments
 

Expert Comment

by:yavosh
ID: 10968805
You could use the $_SERVER['HTTP_REFERER'] variable to check for the flash file but this can easily be forged and is not very reliable.

second option, you could use post to send a password to the flash file (an not sure how this would work from flash)

a third option is to use some sort of challenge responce system but this might be a bit of an over kill, here is how such a system might work

first time you connect to the script you get a session id back.

you use a secret password to hash the session id. the most common hash function is md5, there should be an implementation in flash for it.

so
$challenge = md5($sessionid, 'secret');

when you send the script the correct challenge you get your desired output. in such a way your password (secret) is never transmitted in the clear. the only security problem might appear if some one hijacks the session

yavor
0
 

Author Comment

by:dwax
ID: 10975145
Hi yavor,

thanks for your respons... What do you think of the following:

I get a password from Mysql wich is MD5, when i retrieve it, i leave the MD5 encryption intact,
then i get something like '`1453245hjgjh43545', or whatever. I read this into flash, still leaving the
MD5 intact. When i call the .php script from flash i use something like this:

main.php?action=delete&ID=1&pass=asdsd987sad8sdasd

In the beginning of main.php i decrypt the MD5 password. et  voila?

Is this possible, and safe? Or can anyone copy and paste the encrypted MD5 into a .php script and decrypt it?

like to hear your opinion,

regards,

derek
0
 
LVL 2

Accepted Solution

by:
ramonklown earned 105 total points
ID: 10995661
If you don´t trust mysql databases then why are you working with them in the first place? It´s an obvious answer to your MD5 question.

And plus there are hundreds of MD5 decryptors so you can specify to a specify encrytion but the decryptor will decrypt anyways. So if the guys has all the trouble to get there and the knowledge ofcouse he is gonna have a decrypting program. Or he can make a script himself to decrypt.

There are like 30 - 50 default different encryptions (Í´ve read about this a long time ago). But ofcourse you can make your own.


***The best way to keep things safe are session vars.

you create a session variable
$query = mysql_query("select * from database where user='$_POST[user] AND pass='$_POST[pass]'");
$check = mysql_num_rows($query);

if ($check > 0) {
session_start();
$_SESSION['username'] = $_POST['email'];
}

/*on the next page, registered is if he already filledout form and status is if his email is valid*/
if ($_SESSION['username']) {
session_start();
$query = ("select * from database where user='$_SESSION['username']' AND registered='1' AND status='1'");
$check = mysql_num_rows($query);
if ($check) {
//page content
}
else { include("error.php"); }
}
else {include ("error.php");}
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question