14.4.1. Problem

14.4.2. Solution

Here's how to print a hash in a hidden form field:

$secret_word = 'flyingturtle';
$id = 2836;
$hash = md5($secret_word . $id);

print<<<_HTML_
<input type="hidden" name="id" value="$id">
<input type="hidden" name="idhash" value="$hash">
_HTML_;

Here's how to verify the hidden form field data when it's submitted:

$secret_word = 'flyingturtle';

if (md5($secret_word . $_REQUEST['id']) == $_REQUEST['idhash']) {
    $id = $_REQUEST['id'];
} else {
    die("Invalid data in $_REQUEST[id]");
}

14.4.3. Discussion

When processing the submitted form data, compute the hash of the submitted value of $_REQUEST['id'] and the secret word. If it matches the submitted hash, the value of $_REQUEST['id'] has not been altered by the user. If the hashes don't match, you know that the value of $_REQUEST['id'] you received is not the same as the one you sent.

$secret_word = 'flyingturtle';
$cookie_value = 'Ellen';
$hash = md5($secret_word . $id);

setcookie('name',join('|',array($cookie_value,$hash)));

$secret_word = 'flyingturtle';
list($cookie_value,$cookie_hash) = explode('|',$_COOKIE['name'],2);
if (md5($secret_word . $cookie_value) == $cookie_hash) {
    $name = $cookie_value;
} else {
    die('Invalid data in $_COOKIE[name]');
}

Using a data-verification hash in a form or cookie obviously depends on the secret word used in hash computation. If a malicious user discovers your secret word, the hash offers no protection. Aside from guarding the secret word zealously, changing it frequently is a good idea. For an additional layer of protection, use different secret words, choosing the specific word to use in the hash based on some property of the $id value (10 different words selected by $id%10, for example). That way, damage is controlled if one of the words is compromised.

14.4.4. See Also