Here's the conundrum:
There's a flash file that I can't edit for a number of reasons. The .swf, when run, sends $_POST values to a page that I created that receives the $_POST and records it. The problem is, users can alter the $_POST values using firefox plugins and other easy methods. Is there a way to validate that the $_POST is legit? Since I can't edit the .fla or .swf file, anyone know any tricks?
Anyone know any $_POST validation tricks?
Moderator: General Moderators
-
mattpointblank
- Forum Contributor
- Posts: 304
- Joined: Tue Dec 23, 2008 6:29 am
Re: Anyone know any $_POST validation tricks?
Maybe append some sort of hashkey to the values before sending them (like, a secret phrase/word only you know) and check for its presence when reading the values (then remove it, obviously!)?
Re: Anyone know any $_POST validation tricks?
Read a few of these results.
a quick answer though: look into regular expressions (there's a great guide on these forums).
a quick answer though: look into regular expressions (there's a great guide on these forums).
Re: Anyone know any $_POST validation tricks?
Let me be more specific...
The .swf file is what is sending the $_POST, and I can't alter that. The .swf sends an integer score to my script. I want to prevent people from editing the score that is sent by using a header modifier like Tamper (a firefox plugin where you can change post values). I can't see how I can salt or pepper the variables since I can't edit what is sending the $_POST.
I can only add or edit code on my page were I receive the $_POST values.
The .swf file is what is sending the $_POST, and I can't alter that. The .swf sends an integer score to my script. I want to prevent people from editing the score that is sent by using a header modifier like Tamper (a firefox plugin where you can change post values). I can't see how I can salt or pepper the variables since I can't edit what is sending the $_POST.
I can only add or edit code on my page were I receive the $_POST values.
Re: Anyone know any $_POST validation tricks?
That is a tough issue to fix via post vars. One way to fix it is to be confusing.
You could then pass to post vars naming them something odd like salt and pepper, or even just gibberish. A hacker would then not know that the 2 post fields are really 1 base64+rot13 encoded score. They also would not know if salt or pepper comes first.
I would suggest you put your own twist on this as nothing is bullet proof.
Code: Select all
$score=10;
$store=base64_encode(str_rot13($score));
$half=(int)((strlen($score)/2));
$s1 = substr($score, 0, $half);
$s2 = substr($score, $half);
Code: Select all
base64_decode(str_rot13($_POST['salt']+$_POST['pepper']))Re: Anyone know any $_POST validation tricks?
The problem is that I can't edit anything on the $_POST sending side at all. The post variable is going to be what it is. I can't edit it. All I can do is put change my code on the receiving end.
Re: Anyone know any $_POST validation tricks?
Then you can do nothing about it. In any solution you must change the data that is being sent to be unique.