Numerical formula from a string?
Moderator: General Moderators
-
steve_the_canuck
- Forum Newbie
- Posts: 8
- Joined: Fri Jan 30, 2009 6:36 pm
Numerical formula from a string?
Hi,
I'd like to create a generic function for performing a simple hash using a formula.
I currently have a function like this to do specific simple hash generations:
public static function getHash($value)
{
return dechex($value*800122+9);
}
Ideally I'd like it to be like this:
public static function function getHash($value, $formula)
{
return dechex($value.$formula);
}
I've used the string concat operator here but by no means is this the way it would need to be coded. I'm trying to simply convey that the formula is something I'd like to be a variable.
Is there a way of doing what I've shown above? I have tried a few variations and I cannot get it to work.
Thanks,
Steve
I'd like to create a generic function for performing a simple hash using a formula.
I currently have a function like this to do specific simple hash generations:
public static function getHash($value)
{
return dechex($value*800122+9);
}
Ideally I'd like it to be like this:
public static function function getHash($value, $formula)
{
return dechex($value.$formula);
}
I've used the string concat operator here but by no means is this the way it would need to be coded. I'm trying to simply convey that the formula is something I'd like to be a variable.
Is there a way of doing what I've shown above? I have tried a few variations and I cannot get it to work.
Thanks,
Steve
-
Mark Baker
- Forum Regular
- Posts: 710
- Joined: Thu Oct 30, 2008 6:24 pm
Re: Numerical formula from a string?
You either need to use the dreaded eval() (dreaded because it's intrinsically dangerous unless you have 100% control over the data being evalled) or a formula parser. How sophisticated are your formulae?
-
steve_the_canuck
- Forum Newbie
- Posts: 8
- Joined: Fri Jan 30, 2009 6:36 pm
Re: Numerical formula from a string?
Mark Baker wrote:You either need to use the dreaded eval() (dreaded because it's intrinsically dangerous unless you have 100% control over the data being evalled) or a formula parser. How sophisticated are your formulae?
They are currently only as sophisticated as the example (x*200000+3), etc. I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
Steve
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: Numerical formula from a string?
Why would you ever need to obfuscate the ID of a database row?steve_the_canuck wrote:I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
-
steve_the_canuck
- Forum Newbie
- Posts: 8
- Joined: Fri Jan 30, 2009 6:36 pm
Re: Numerical formula from a string?
Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.jayshields wrote:Why would you ever need to obfuscate the ID of a database row?steve_the_canuck wrote:I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
- iankent
- Forum Contributor
- Posts: 333
- Joined: Mon Nov 16, 2009 4:23 pm
- Location: Wales, United Kingdom
Re: Numerical formula from a string?
Not really. You can safely give out the ID as long as you have some way of verifying that value when accepting it back from the user. Plus, just giving the ID in the url doesn't mean you have to give away the column or table name, and almost guaranteed every website will use a numerical ID somewhere, so it doesn't really give much away.steve_the_canuck wrote:Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
edit: as a perfect example, phpbb regularly uses just a userid to identify users, and this is given out to all other users in the member list pages. aside from that, the whole phpbb table structure and code is available for all to see. has it made phpbb less secure? no, it just means their code is up to scratch!
And re separation, doesn't it just make things difficult if you ever need to trace problems through your application, or look through any log files, or manually query the databases? Sticking to a numerical ID will be far easier, and give better performance on your database!
-
steve_the_canuck
- Forum Newbie
- Posts: 8
- Joined: Fri Jan 30, 2009 6:36 pm
Re: Numerical formula from a string?
iankent wrote:Not really. You can safely give out the ID as long as you have some way of verifying that value when accepting it back from the user. Plus, just giving the ID in the url doesn't mean you have to give away the column or table name, and almost guaranteed every website will use a numerical ID somewhere, so it doesn't really give much away.steve_the_canuck wrote:Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
edit: as a perfect example, phpbb regularly uses just a userid to identify users, and this is given out to all other users in the member list pages. aside from that, the whole phpbb table structure and code is available for all to see. has it made phpbb less secure? no, it just means their code is up to scratch!
And re separation, doesn't it just make things difficult if you ever need to trace problems through your application, or look through any log files, or manually query the databases? Sticking to a numerical ID will be far easier, and give better performance on your database!
You can make a case that it's ok for revealing internal ID's. You have to judge the security concerns of your own app and what would be the consequences if someone just plugged in an "inappropriate" ID. Obfuscation is just another technique to make it more difficult to guess. With obfuscation - people with knowledge of hashing techniques might be able to figure out what you're doing, but without it, almost anyone with any computer savvy can figure it out.
This is exactly what happened to hotmail a few years back. They had a mailbox ID in their URL and sure enough they had forgotten to do a proper security check of who was accessing a mailbox. An obfuscated ID would have helped them in this case, it would have limited exposure because really it was very easy to just plug in any number you wanted.
Can you guarantee there are no holes in your own app that can't be exploited?
In terms of your point about separation - it's not much more difficult really. It took me about an hour or two to retrofit about 20K lines of code to use obfuscation. It does present some inconvenience, but again it's pretty minor.
But I'm risk adverse about this stuff. I guess that's what happens after designing fraud detection systems for banks.
Cheers,
Steve
Re: Numerical formula from a string?
Wait... So you're saying that revealing internal ID numbers is a security risk?
What about, oh I don't know, practically everything on the web? They're all doing it wrong?
And I'm just getting started.
Obfuscation is not security. If you're concerned that someone "just plugged in an inappropriate ID" then it means your application is insecure. Web security point #1: anything and everything that isn't directly generated by your code is inherently unsafe. If you don't check that the requested resource should be viewed by the user then that's your fault.
What about, oh I don't know, practically everything on the web? They're all doing it wrong?
Code: Select all
http://forums.devnetwork.net/posting.php?mode=reply&[color=blue]f=1[/color]&[color=blue]t=109225[/color]
http://rss.cnn.com/~r/rss/cnn_tech/~3/[color=blue]m_HeT892QDo[/color]/index.html
http://yro.slashdot.org/story/09/11/21/[color=blue]0354209[/color]/RFID-Fingerprints-To-Fight-Tag-Cloning
http://www.msnbc.msn.com/id/[color=blue]34075908[/color]/ns/us_news-washington_post/Obfuscation is not security. If you're concerned that someone "just plugged in an inappropriate ID" then it means your application is insecure. Web security point #1: anything and everything that isn't directly generated by your code is inherently unsafe. If you don't check that the requested resource should be viewed by the user then that's your fault.
Re: Numerical formula from a string?
First of all I agree with the above reactions. Obfuscation is not security. Rather than hiding or obfuscating your IDs, you're better off by simply making your code safe against injection or otherwise manual tempering.steve_the_canuck wrote:They are currently only as sophisticated as the example (x*200000+3), etc. I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
Having said that, I'd still like to answer your question, cause a scenario like this may occur in different forms and circumstances. You could do something like this:
Code: Select all
function getHash( $value, $formula )
{
switch($formula['method'])
{
case 1: return dechex( $value*$formula['multiplier'] + $formula['delta'] );
default: return 0;
}
}
$myMethod = array( 'method'=>1 , 'multiplier'=>200000 , 'delta'=>3 );
$hash = getHash( $id , $myMethod );
// $hash is now $id*200000+3Of course, an OOP approach would be more appropriate here, as the idea of customizing (and possibly later on enhancing) your hashing algorithm typically smells like 'overriding functions'.
Code: Select all
class HashMethod // base class with dummy hashing
{
public function getHash( $value ) { return 0; }
};
function DoHashing( $value, $hashMethod ) // this uses a HashMethod instance to perform hashing
{
return $hashMethod->getHash($value);
}
// now implement your own hashing by inheriting from HashMethod
class MyHashMethod extends HashMethod
{
public $multiplier,$delta;
function __construct( $m, $d )
{
$this->multiplier = $m;
$this->delta = $d;
}
public function getHash( $value ) { return dechex( $value*$this->multiplier + $this->delta ); }
};
$myHashing = new MyHashMethod(200000,3);
$hash = DoHashing($id,$myHashing);
// $hash is now $id*200000+3-
steve_the_canuck
- Forum Newbie
- Posts: 8
- Joined: Fri Jan 30, 2009 6:36 pm
Re: Numerical formula from a string?
As I said, it depends on what you're doing. You are quoting a bunch of news sites and forums. In a case like that, I wouldn't care if the internal ID's were exposed and in fact I might encourage it.tasairis wrote:Wait... So you're saying that revealing internal ID numbers is a security risk?
What about, oh I don't know, practically everything on the web? They're all doing it wrong?And I'm just getting started.Code: Select all
posting.php?mode=reply&[color=blue]f=1[/color]&[color=blue]t=109225[/color] http://rss.cnn.com/~r/rss/cnn_tech/~3/[color=blue]m_HeT892QDo[/color]/index.html http://yro.slashdot.org/story/09/11/21/[color=blue]0354209[/color]/RFID-Fingerprints-To-Fight-Tag-Cloning http://www.msnbc.msn.com/id/[color=blue]34075908[/color]/ns/us_news-washington_post/
Obfuscation is not security. If you're concerned that someone "just plugged in an inappropriate ID" then it means your application is insecure. Web security point #1: anything and everything that isn't directly generated by your code is inherently unsafe. If you don't check that the requested resource should be viewed by the user then that's your fault.
What if I was to put in a URL like this:
Code: Select all
http://www.myrewards123.com/customer/12 ... /view.htmlIt goes without saying the code should check that only an authorized user should be able to view the URL. I have numerous checks in my applications. But still, checks are sometimes missed and I would say obfuscation doesn't hurt in these cases too because it's the most basic level of potential misuse of information.
My general rule is - obfuscate if the data "belongs" to someone and is not intended for public use, and if there is any potential for misuse.
Steve
- iankent
- Forum Contributor
- Posts: 333
- Joined: Mon Nov 16, 2009 4:23 pm
- Location: Wales, United Kingdom
Re: Numerical formula from a string?
If somebody intends to misuse then obfusication does nothing to help. If the data belongs to somebody and not intended for public use, then create additional data that means nothing that is for public use, i.e. an internal database id instead of the customer id. that way there is no useful link between the original data and the public data like there is with an obfusicated string.steve_the_canuck wrote:My general rule is - obfuscate if the data "belongs" to someone and is not intended for public use, and if there is any potential for misuse.
Steve
the hotmail issue is a non-issue really. as you say, they forgot to do some basic security checks, so that was their fault. and my code probably isn't 100% perfect, but whose is. still, using obfusication is not a safe alternative to replacing the private data altogether. all you'd need to do is add additonal id columns to your tables and output those instead
-
steve_the_canuck
- Forum Newbie
- Posts: 8
- Joined: Fri Jan 30, 2009 6:36 pm
Re: Numerical formula from a string?
That depends - you can use quite a bit more sophistication in your obfuscation. You can make the URL's generated be time dependent, where you change the hash every 5 or 10 minutes. That really reduces the window of opportunity for misuse.iankent wrote: If somebody intends to misuse then obfusication does nothing to help. If the data belongs to somebody and not intended for public use, then create additional data that means nothing that is for public use, i.e. an internal database id instead of the customer id. that way there is no useful link between the original data and the public data like there is with an obfusicated string.
the hotmail issue is a non-issue really. as you say, they forgot to do some basic security checks, so that was their fault. and my code probably isn't 100% perfect, but whose is. still, using obfusication is not a safe alternative to replacing the private data altogether. all you'd need to do is add additonal id columns to your tables and output those instead
Yes, you could simply output your database ID as an additional column for simple hash algorithms. But I feel this entire line of reasoning is based on thinking like a programmer. Consider that you have to go through the step of figuring out the mapping/hash algorithm, knowing what the hexadecimal number system is - that is probably less than 1% of my user base. On the other hand, if I do nothing, I leave it wide open to anyone who wants to start typing in numbers - I am an easier target.
There's a kid I know who I have been trying to dissuade from hacking for a while now. But he actually targets other hackers who don't realize he's hacking them. There are varying degrees of stupidity in the hacking world. For sure there are the hackers that will find their way into my application, guess my obfuscation techniques, etc. But I think for every one of those there are just looking for easy prey.
Steve