On 2003-10-07, Steve Comrie <suppressed> wrote:
>
> I could come up with a quick solution using crypt() on the reportid and
> including the result in the arguments along with the report id:
> /report.cgi?id=200enc=a23dj7923h or possible doing a simple encryption on
> the report id itself /report.cgi?id=2dj872. I was just wondering what
> techniques other people are using to get around this same challenge.
Steve,
You are on the right track here. I'll elaborate on what other people
have said. The key to a system like the above is having a "secret" key
that comes from a config file and is not publically available.
To generate "enc", you create a checksum using the report_id and the
secret as the seeds, like this:
# untested
sub gen_id_md5 {
my ($secret,$id) = @_;
require Digest::MD5;
my $md5 = new Digest::MD5();
$md5->add($secret,$id );
return $md5->hexdigest();
}
Before running the report, you take the ID received, generate
it's checksum again, and compare that to the "enc" received.
Even if someone understand the checksum system, they should have difficulty
generating a valid one without knowing your secret.
Mark
--
http://mark.stosberg.com/
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.