home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Book HomePHP CookbookSearch this book

14.4. Verifying Data with Hashes

14.4.3. Discussion

When processing the submitted form data, compute the hash of the submitted value of $_REQUEST['id'] and the secret word. If it matches the submitted hash, the value of $_REQUEST['id'] has not been altered by the user. If the hashes don't match, you know that the value of $_REQUEST['id'] you received is not the same as the one you sent.

To use a verification hash with a cookie, add the hash to the cookie value with join( ) :

$secret_word = 'flyingturtle';
$cookie_value = 'Ellen';
$hash = md5($secret_word . $id);

setcookie('name',join('|',array($cookie_value,$hash)));

Parse the hash from the cookie value with explode( ):

$secret_word = 'flyingturtle';
list($cookie_value,$cookie_hash) = explode('|',$_COOKIE['name'],2);
if (md5($secret_word . $cookie_value) == $cookie_hash) {
    $name = $cookie_value;
} else {
    die('Invalid data in $_COOKIE[name]');
}

Using a data-verification hash in a form or cookie obviously depends on the secret word used in hash computation. If a malicious user discovers your secret word, the hash offers no protection. Aside from guarding the secret word zealously, changing it frequently is a good idea. For an additional layer of protection, use different secret words, choosing the specific word to use in the hash based on some property of the $id value (10 different words selected by $id%10, for example). That way, damage is controlled if one of the words is compromised.

If you have the mhash module installed, you're not limited to MD5 hashes. mhash supports a number of different hash algorithms. For more information about mhash, see the mhash material in the online PHP manual or the mhash home page at http://mhash.sourceforge.net/.

14.4.4. See Also

Recipe 8.11 uses a verification hash for cookie-based authentication; Recipe 9.4 for an example of using hashes with hidden form variables; documentation on md5( ) at http://www.php.net/md5 and the mhash extension at http://www.php.net/mhash.



Library Navigation Links

Copyright © 2003 O'Reilly & Associates. All rights reserved.