mikemastah Posted December 6, 2008 Posted December 6, 2008 this is my problem, i have a shoutbox which encloses the users username like this <input type="hidden" id="username" value="<?php echo $username; ?>" /> the thing is all users with a little bit of knowledge can change this to whatever they want. I need some way to send the $username variabele along with this form, without the user being able to modify this. Any idea's? Quote
Vortex Posted December 6, 2008 Posted December 6, 2008 Re: PHP Form issue Try adding another hidden field, with a hash (md5/sha1/sha256 etc) of the username AND the session_id() (and optionally, another "salt"). That way you can easily verify the hidden username field has not been tampered with. Quote
mikemastah Posted December 6, 2008 Author Posted December 6, 2008 Re: PHP Form issue @Vortex that makes it just a little bit harder for them but not impossible. @pog-one and what exactly should I do with $_SESSION? Quote
POG1 Posted December 6, 2008 Posted December 6, 2008 Re: PHP Form issue instead of using $_POST['username'] you could use $_SESSION['id'] or $ir['username']... Quote
mikemastah Posted December 6, 2008 Author Posted December 6, 2008 Re: PHP Form issue yea ok. but $_SESSION['id'] changes constantly am I right? Quote
Guest Anonymous Posted December 7, 2008 Posted December 7, 2008 Re: PHP Form issue @Vortex that makes it just a little bit harder for them but not impossible. Indeed - not impossible, but I doubt many people have enough equipment to reverse engineer an md5/sha1/sha256 hash from scratch in anything less than 40 years. Quote
mikemastah Posted December 7, 2008 Author Posted December 7, 2008 Re: PHP Form issue @Vortex that makes it just a little bit harder for them but not impossible. Indeed - not impossible, but I doubt many people have enough equipment to reverse engineer an md5/sha1/sha256 hash from scratch in anything less than 40 years. true suggestions on which hash to use? Quote
mikemastah Posted December 7, 2008 Author Posted December 7, 2008 Re: PHP Form issue Can't edit my post..... If you want it to be their username, why even add it to the form, which is pre-process? Why not simply add it post..well.. post-post (lol!) instead of $username = $_POST['username'] Remove the $_POST (aka form field) and make it something like: $username = $ir['username']; what exactly is '$ir'?? Quote
POG1 Posted December 7, 2008 Posted December 7, 2008 Re: PHP Form issue $ir is an array that contains all your player statistics. A query selects your record from the users table in the database and creates an array from the values. So $ir['username'] would be the username in your record in the database. Quote
mikemastah Posted December 7, 2008 Author Posted December 7, 2008 Re: PHP Form issue ooooh ok thanks for explaining Quote
Lithium Posted December 7, 2008 Posted December 7, 2008 Re: PHP Form issue or you could also use bin2dec('$username') and use UNHEX when dealing with DB statements Quote
Zeggy Posted December 8, 2008 Posted December 8, 2008 Re: PHP Form issue Use a salted hash... and just pick a good salt and encryption method. If they don't know the salt and are unlikely to guess the salt, they won't be able to create their own hash when they change the username. Indeed - not impossible, but I doubt many people have enough equipment to reverse engineer an md5/sha1/sha256 hash from scratch in anything less than 40 years. I thought the point was that hashes are non-reversible. Quote
Will Posted December 13, 2008 Posted December 13, 2008 Re: PHP Form issue Why even bother with encryption? You can never trust an input from a user; as said just use a session. Quote
Zeggy Posted December 14, 2008 Posted December 14, 2008 Re: PHP Form issue Why even bother with encryption? You can never trust an input from a user; as said just use a session. You encrypt it so you know you can trust it :) And this doesn't appear to be user input, it's a hidden form field. Also, sessions aren't infallible. Quote
Will Posted December 20, 2008 Posted December 20, 2008 Re: PHP Form issue And this doesn't appear to be user input, it's a hidden form field. The user can still edit it... Quote
Zeggy Posted December 21, 2008 Posted December 21, 2008 Re: PHP Form issue Yes, but they're not meant to. You know what the value is and you know exactly what you are expecting (apparently/assuming, not much info is given about the context by the OP). The problem here is that the user also knows what you are expecting (a number corresponding to the user ID). And then you solve this problem by removing that ability for the user - by encrypting it or doing something else to it so it's difficult for the user to replicate an alternative value. But I suppose, yeah, sessions would be an easy solution :) EDIT: Oh wait, it's for a shout box. In that case... if the user is logged in, surely the user variables are available? Quote
mikemastah Posted December 24, 2008 Author Posted December 24, 2008 Re: PHP Form issue EDIT: Oh wait, it's for a shout box. In that case... if the user is logged in, surely the user variables are available? Yea I know i can use the user's variables (that's what I'm doing right now), i have no idea why i haven't though of those... i guess i worked too long without sleeping :-D thanks for all your solutions but i have my answer. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.