Jump to content
MakeWebGames

Recommended Posts

Posted

this is my problem, i have a shoutbox which encloses the users username like this

<input type="hidden" id="username" value="<?php echo $username; ?>" />

the thing is all users with a little bit of knowledge can change this to whatever they want.

I need some way to send the $username variabele along with this form, without the user being able to modify this.

Any idea's?

Posted

Re: PHP Form issue

Try adding another hidden field, with a hash (md5/sha1/sha256 etc) of the username AND the session_id() (and optionally, another "salt"). That way you can easily verify the hidden username field has not been tampered with.

Guest Anonymous
Posted

Re: PHP Form issue

 

@Vortex

that makes it just a little bit harder for them but not impossible.

Indeed - not impossible, but I doubt many people have enough equipment to reverse engineer an md5/sha1/sha256 hash from scratch in anything less than 40 years.

Posted

Re: PHP Form issue

 

@Vortex

that makes it just a little bit harder for them but not impossible.

Indeed - not impossible, but I doubt many people have enough equipment to reverse engineer an md5/sha1/sha256 hash from scratch in anything less than 40 years.

true

suggestions on which hash to use?

Posted

Re: PHP Form issue

Can't edit my post.....

If you want it to be their username, why even add it to the form, which is pre-process? Why not simply add it post..well.. post-post (lol!)

instead of

$username = $_POST['username']

Remove the $_POST (aka form field) and make it something like:

$username = $ir['username'];

what exactly is '$ir'??

Posted

Re: PHP Form issue

$ir is an array that contains all your player statistics. A query selects your record from the users table in the database and creates an array from the values.

So $ir['username'] would be the username in your record in the database.

Posted

Re: PHP Form issue

Use a salted hash... and just pick a good salt and encryption method.

If they don't know the salt and are unlikely to guess the salt, they won't be able to create their own hash when they change the username.

 

Indeed - not impossible, but I doubt many people have enough equipment to reverse engineer an md5/sha1/sha256 hash from scratch in anything less than 40 years.

I thought the point was that hashes are non-reversible.

Posted

Re: PHP Form issue

 

Why even bother with encryption? You can never trust an input from a user; as said just use a session.

You encrypt it so you know you can trust it :)

And this doesn't appear to be user input, it's a hidden form field.

Also, sessions aren't infallible.

Posted

Re: PHP Form issue

Yes, but they're not meant to. You know what the value is and you know exactly what you are expecting (apparently/assuming, not much info is given about the context by the OP).

The problem here is that the user also knows what you are expecting (a number corresponding to the user ID).

And then you solve this problem by removing that ability for the user - by encrypting it or doing something else to it so it's difficult for the user to replicate an alternative value.

But I suppose, yeah, sessions would be an easy solution :)

 

EDIT: Oh wait, it's for a shout box. In that case... if the user is logged in, surely the user variables are available?

Posted

Re: PHP Form issue

 

EDIT: Oh wait, it's for a shout box. In that case... if the user is logged in, surely the user variables are available?

Yea I know i can use the user's variables (that's what I'm doing right now), i have no idea why i haven't though of those...

i guess i worked too long without sleeping :-D

thanks for all your solutions but i have my answer.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...