Page 1 of 1
Anyone know any $_POST validation tricks?
Posted: Thu Jun 04, 2009 10:51 am
by Citizen
Here's the conundrum:
There's a flash file that I can't edit for a number of reasons. The .swf, when run, sends $_POST values to a page that I created that receives the $_POST and records it. The problem is, users can alter the $_POST values using firefox plugins and other easy methods. Is there a way to validate that the $_POST is legit? Since I can't edit the .fla or .swf file, anyone know any tricks?
Re: Anyone know any $_POST validation tricks?
Posted: Thu Jun 04, 2009 10:57 am
by mattpointblank
Maybe append some sort of hashkey to the values before sending them (like, a secret phrase/word only you know) and check for its presence when reading the values (then remove it, obviously!)?
Re: Anyone know any $_POST validation tricks?
Posted: Thu Jun 04, 2009 10:59 am
by Chalks
Read a few of
these results.
a quick answer though: look into regular expressions (there's a
great guide on these forums).
Re: Anyone know any $_POST validation tricks?
Posted: Thu Jun 04, 2009 4:41 pm
by Citizen
Let me be more specific...
The .swf file is what is sending the $_POST, and I can't alter that. The .swf sends an integer score to my script. I want to prevent people from editing the score that is sent by using a header modifier like Tamper (a firefox plugin where you can change post values). I can't see how I can salt or pepper the variables since I can't edit what is sending the $_POST.
I can only add or edit code on my page were I receive the $_POST values.
Re: Anyone know any $_POST validation tricks?
Posted: Thu Jun 04, 2009 5:21 pm
by t2birkey
That is a tough issue to fix via post vars. One way to fix it is to be confusing.
Code: Select all
$score=10;
$store=base64_encode(str_rot13($score));
$half=(int)((strlen($score)/2));
$s1 = substr($score, 0, $half);
$s2 = substr($score, $half);
You could then pass to post vars naming them something odd like salt and pepper, or even just gibberish. A hacker would then not know that the 2 post fields are really 1 base64+rot13 encoded score. They also would not know if salt or pepper comes first.
Code: Select all
base64_decode(str_rot13($_POST['salt']+$_POST['pepper']))
I would suggest you put your own twist on this as nothing is bullet proof.
Re: Anyone know any $_POST validation tricks?
Posted: Thu Jun 04, 2009 5:34 pm
by Citizen
The problem is that I can't edit anything on the $_POST sending side at all. The post variable is going to be what it is. I can't edit it. All I can do is put change my code on the receiving end.
Re: Anyone know any $_POST validation tricks?
Posted: Thu Jun 04, 2009 5:43 pm
by t2birkey
Then you can do nothing about it. In any solution you must change the data that is being sent to be unique.