Comments on: 24/09 – Dev :: Key-hash Security http://www.evohosting.co.uk/blog/web-development/security/key-hash-security/ UK Web Hosting Thu, 09 Feb 2012 00:13:22 +0000 hourly 1 By: Konstantinhttp://www.evohosting.co.uk/blog/web-development/security/key-hash-security/comment-page-1/#comment-3930 Konstantin Wed, 18 Mar 2009 08:37:11 +0000 http://www.evohosting.co.uk/blog/?p=119#comment-3930 Thanks for security key Thanks for security key

]]> By: Jan-Erik L.http://www.evohosting.co.uk/blog/web-development/security/key-hash-security/comment-page-1/#comment-3622 Jan-Erik L. Fri, 10 Oct 2008 12:24:59 +0000 http://www.evohosting.co.uk/blog/?p=119#comment-3622 <strong>Thank you guys for the comments!</strong> Cleaning up input before processing it is very important (and should not be forgotten!). You can use the following script to do it very quickly: <code> <?PHP foreach ($_POST as $key => $value) { if (empty($_POST[$key])) {$_POST[$key] = NULL;} $_POST[$key] = addslashes($value); } ?> </code> This is again just a very basic script but it will save you a load of code and does the job pretty well. If you're doing this check within a MySQL connection I would suggest also running <a href="http://se.php.net/mysql_real_escape_string" rel="nofollow">mysql_real_escape_string()</a>. Thank you guys for the comments!

Cleaning up input before processing it is very important (and should not be forgotten!). You can use the following script to do it very quickly:


< ?PHP
foreach ($_POST as $key => $value) {
if (empty($_POST[$key])) {$_POST[$key] = NULL;}

$_POST[$key] = addslashes($value);
}
?>

This is again just a very basic script but it will save you a load of code and does the job pretty well. If you’re doing this check within a MySQL connection I would suggest also running mysql_real_escape_string().

]]> By: Svenhttp://www.evohosting.co.uk/blog/web-development/security/key-hash-security/comment-page-1/#comment-3620 Sven Tue, 07 Oct 2008 11:20:23 +0000 http://www.evohosting.co.uk/blog/?p=119#comment-3620 Although this is a nice solution to ensure that the POST data comes from a valid source (i.e. the originating form) it is still quite easy to manipulate the data in between whilst maintaining a valid hash. It does, as you state, stop most "script kiddies". but you will still need to do something else very important: Clean and verify the input before processing it. I must say though, I like the idea of adding a unique hash to data to verify its integrity. You could make good use of that to prevent cookie modification hacks by "checksumming" the data before populating the cookie. Good tip :) Although this is a nice solution to ensure that the POST data comes from a valid source (i.e. the originating form) it is still quite easy to manipulate the data in between whilst maintaining a valid hash. It does, as you state, stop most “script kiddies”. but you will still need to do something else very important: Clean and verify the input before processing it.

I must say though, I like the idea of adding a unique hash to data to verify its integrity. You could make good use of that to prevent cookie modification hacks by “checksumming” the data before populating the cookie.

Good tip :)

]]> By: Orlandohttp://www.evohosting.co.uk/blog/web-development/security/key-hash-security/comment-page-1/#comment-3594 Orlando Sun, 28 Sep 2008 17:14:20 +0000 http://www.evohosting.co.uk/blog/?p=119#comment-3594 many thanks for this, this will come in handy!!! many thanks for this, this will come in handy!!!

]]>