[thelist] Fwd: Re: Price modification in Element InstantShop

Anthony Baratta Anthony at Baratta.com
Wed Oct 25 13:37:29 CDT 2000


I thought this was interesting.....


>[snip of exploit which manipulates HTML hidden form inputs]
>
>Regrettably common, I think.
>
>This is just a reminder (with PHP3 code) that one simple technique
>to protect against this kind of tampering is to use a signature
>to validate the hidden values.
>
>In PHP3, it is as simple as using md5 with a secret, like this:
>
>   $secret = "Some constant, unrevealed string.";
>
>/* On writing out the form */
>   echo "<INPUT TYPE=hidden NAME=price VALUE=\"$price\">";
>   echo "<INPUT TYPE=hidden NAME=hidden2 VALUE=\"$hidden2\">";
>   echo "<INPUT TYPE=hidden NAME=hidden3 VALUE=\"$hidden3\">";
>   echo "<INPUT TYPE=hidden NAME=hiddensig VALUE=\"" .
>         md5($price . $hidden2 . $hidden3 . $secret) . "\">";
>
>/* On reading in the form */
>   if (md5($price . $hidden2 . $hidden3 . $secret) != $hiddensig) {
>      /* Tampering detected */
>   } else {
>      /* Signature matches expected */
>   }
>
>Forrest J. Cavalier III, Mib Software  Voice 570-992-8824
>http://www.rocketaware.com/ has over 30,000 links to
>source, libraries, functions, applications, and documentation.


----
Anthony Baratta
President
Keyboard Jockeys





More information about the thelist mailing list