Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

security: how to detect where user comes from..

Posted on 2004-05-01
3
201 Views
Last Modified: 2011-09-20
hi everyone,

i am struggling with the following. I have a flashfile from wich i call a script called
main.php. This file is called upon like this: main.php?action=delete&Id=1 etc.

But when i call this file directly in a browser it also works, that is a potential security risk.
From flash i can send a string along, but when i look in the history of my browser, it shows
the whole url and string...

So my question is: can i detect if the user comes from the flashfile? if yes, then execute
the .php script, if not, redirect to somewhere else.

Thanks in advance,

derek
0
Comment
Question by:dwax
3 Comments
 

Expert Comment

by:yavosh
ID: 10968805
You could use the $_SERVER['HTTP_REFERER'] variable to check for the flash file but this can easily be forged and is not very reliable.

second option, you could use post to send a password to the flash file (an not sure how this would work from flash)

a third option is to use some sort of challenge responce system but this might be a bit of an over kill, here is how such a system might work

first time you connect to the script you get a session id back.

you use a secret password to hash the session id. the most common hash function is md5, there should be an implementation in flash for it.

so
$challenge = md5($sessionid, 'secret');

when you send the script the correct challenge you get your desired output. in such a way your password (secret) is never transmitted in the clear. the only security problem might appear if some one hijacks the session

yavor
0
 

Author Comment

by:dwax
ID: 10975145
Hi yavor,

thanks for your respons... What do you think of the following:

I get a password from Mysql wich is MD5, when i retrieve it, i leave the MD5 encryption intact,
then i get something like '`1453245hjgjh43545', or whatever. I read this into flash, still leaving the
MD5 intact. When i call the .php script from flash i use something like this:

main.php?action=delete&ID=1&pass=asdsd987sad8sdasd

In the beginning of main.php i decrypt the MD5 password. et  voila?

Is this possible, and safe? Or can anyone copy and paste the encrypted MD5 into a .php script and decrypt it?

like to hear your opinion,

regards,

derek
0
 
LVL 2

Accepted Solution

by:
ramonklown earned 105 total points
ID: 10995661
If you don´t trust mysql databases then why are you working with them in the first place? It´s an obvious answer to your MD5 question.

And plus there are hundreds of MD5 decryptors so you can specify to a specify encrytion but the decryptor will decrypt anyways. So if the guys has all the trouble to get there and the knowledge ofcouse he is gonna have a decrypting program. Or he can make a script himself to decrypt.

There are like 30 - 50 default different encryptions (Í´ve read about this a long time ago). But ofcourse you can make your own.


***The best way to keep things safe are session vars.

you create a session variable
$query = mysql_query("select * from database where user='$_POST[user] AND pass='$_POST[pass]'");
$check = mysql_num_rows($query);

if ($check > 0) {
session_start();
$_SESSION['username'] = $_POST['email'];
}

/*on the next page, registered is if he already filledout form and status is if his email is valid*/
if ($_SESSION['username']) {
session_start();
$query = ("select * from database where user='$_SESSION['username']' AND registered='1' AND status='1'");
$check = mysql_num_rows($query);
if ($check) {
//page content
}
else { include("error.php"); }
}
else {include ("error.php");}
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question