UK Web Hosting

24/09 – Dev :: Key-hash Security

Posted by: Jan-Erik L. // // September 24th, 2008 // Security, Special Offers, Web Development

When programming websites today you always have to worry about the security and many beginners just don’t know how to tackle this. I hope the following will help some of you out there.A very simple yet effective way of making sure that your POST data is secure is to include a security hash. This is far more simple then it sounds, follow the below example and I’m sure you’ll understand.

The below goes in form.php/whatever.php

<?PHP $key = '"'.md5("key".date("Ymd").'"'; ?>
<form action="edit.php" method="post">
<input name="hash" type="hidden" value=<?PHP echo $key ?>>
</form>

Now this goes in edit.php/whatever.php

<?PHP
if ($_POST['hash'] != md5("key".date("Ymd")) {
  die("Restricted access!");
}
?>

I think that most of you understands what this does but just in case you don’t, in the form we have our hash key which is unique for your site and changes everyday. In the file that does the actual SQL query/other proccessing script we put in a line of pre that will “die” unless the correct key hash is entered.

Now this is just the basics of what you can do with key hashes, I have elaborated many systems with key hash security to be unique not only for the day but for every edit form, page or cookie. This will of course not stop the most relentless hackers but it will fend of a boatload of the less sofistacted hackers and bots.

Jan-Erik Lysander runs Lysander Consulting who specialise in IT / internet / web development.

VN:F [1.8.1_1037]
Rating: 0.0/5 (0 votes cast)
pixelstats trackingpixel
Please help us by sharing this article!
  • Twitter
  • Digg
  • Reddit
  • Google Bookmarks
  • Slashdot
  • StumbleUpon
  • Facebook
  • del.icio.us
  • Sphinn
  • Ping.fm
  • Technorati
  • Posterous
UK Web Hosting

4 Responses to “24/09 – Dev :: Key-hash Security”

  1. Orlando says:
    September 28, 2008 at 6:14 pm

    many thanks for this, this will come in handy!!!

    UN:F [1.8.1_1037]
    Rating: 0.0/5 (0 votes cast)
    Reply
  2. Sven says:
    October 7, 2008 at 12:20 pm

    Although this is a nice solution to ensure that the POST data comes from a valid source (i.e. the originating form) it is still quite easy to manipulate the data in between whilst maintaining a valid hash. It does, as you state, stop most “script kiddies”. but you will still need to do something else very important: Clean and verify the input before processing it.

    I must say though, I like the idea of adding a unique hash to data to verify its integrity. You could make good use of that to prevent cookie modification hacks by “checksumming” the data before populating the cookie.

    Good tip :)

    UN:F [1.8.1_1037]
    Rating: 0.0/5 (0 votes cast)
    Reply
  3. Jan-Erik L. says:
    October 10, 2008 at 1:24 pm

    Thank you guys for the comments!

    Cleaning up input before processing it is very important (and should not be forgotten!). You can use the following script to do it very quickly:


    < ?PHP
    foreach ($_POST as $key => $value) {
    if (empty($_POST[$key])) {$_POST[$key] = NULL;}

    $_POST[$key] = addslashes($value);
    }
    ?>

    This is again just a very basic script but it will save you a load of code and does the job pretty well. If you’re doing this check within a MySQL connection I would suggest also running mysql_real_escape_string().

    UA:F [1.8.1_1037]
    Rating: 0.0/5 (0 votes cast)
    Reply
  4. Konstantin says:
    March 18, 2009 at 8:37 am

    Thanks for security key

    UN:F [1.8.1_1037]
    Rating: 0.0/5 (0 votes cast)
    Reply

Leave a Reply

Copyright (C) 2004 - 2009 - Evohosting Ltd, Company Number: 056146149 (VAT Registration Number: 933-6407-23)
UK Web Hosting | Site Map | Icons | Wordpress Hosting | Joomla Hosting | Magento Hosting | osCommerce Hosting | phpBB Hosting | Drupal Hosting | CubeCart Hosting | PHP-Nuke Hosting | Web Hosting UK