Numerical formula from a string?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
steve_the_canuck
Forum Newbie
Posts: 8
Joined: Fri Jan 30, 2009 6:36 pm

Numerical formula from a string?

Post by steve_the_canuck »

Hi,

I'd like to create a generic function for performing a simple hash using a formula.

I currently have a function like this to do specific simple hash generations:

public static function getHash($value)
{
return dechex($value*800122+9);
}

Ideally I'd like it to be like this:

public static function function getHash($value, $formula)
{
return dechex($value.$formula);

}

I've used the string concat operator here but by no means is this the way it would need to be coded. I'm trying to simply convey that the formula is something I'd like to be a variable.

Is there a way of doing what I've shown above? I have tried a few variations and I cannot get it to work.

Thanks,
Steve
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: Numerical formula from a string?

Post by Mark Baker »

You either need to use the dreaded eval() (dreaded because it's intrinsically dangerous unless you have 100% control over the data being evalled) or a formula parser. How sophisticated are your formulae?
steve_the_canuck
Forum Newbie
Posts: 8
Joined: Fri Jan 30, 2009 6:36 pm

Re: Numerical formula from a string?

Post by steve_the_canuck »

Mark Baker wrote:You either need to use the dreaded eval() (dreaded because it's intrinsically dangerous unless you have 100% control over the data being evalled) or a formula parser. How sophisticated are your formulae?

They are currently only as sophisticated as the example (x*200000+3), etc. I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.

Steve
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: Numerical formula from a string?

Post by jayshields »

steve_the_canuck wrote:I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
Why would you ever need to obfuscate the ID of a database row?
steve_the_canuck
Forum Newbie
Posts: 8
Joined: Fri Jan 30, 2009 6:36 pm

Re: Numerical formula from a string?

Post by steve_the_canuck »

jayshields wrote:
steve_the_canuck wrote:I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
Why would you ever need to obfuscate the ID of a database row?
Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
User avatar
iankent
Forum Contributor
Posts: 333
Joined: Mon Nov 16, 2009 4:23 pm
Location: Wales, United Kingdom

Re: Numerical formula from a string?

Post by iankent »

steve_the_canuck wrote:Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
Not really. You can safely give out the ID as long as you have some way of verifying that value when accepting it back from the user. Plus, just giving the ID in the url doesn't mean you have to give away the column or table name, and almost guaranteed every website will use a numerical ID somewhere, so it doesn't really give much away.

edit: as a perfect example, phpbb regularly uses just a userid to identify users, and this is given out to all other users in the member list pages. aside from that, the whole phpbb table structure and code is available for all to see. has it made phpbb less secure? no, it just means their code is up to scratch!

And re separation, doesn't it just make things difficult if you ever need to trace problems through your application, or look through any log files, or manually query the databases? Sticking to a numerical ID will be far easier, and give better performance on your database!
steve_the_canuck
Forum Newbie
Posts: 8
Joined: Fri Jan 30, 2009 6:36 pm

Re: Numerical formula from a string?

Post by steve_the_canuck »

iankent wrote:
steve_the_canuck wrote:Revealing the internal ID's used in your database can give potential hackers something to latch onto. It's also achieves better separation between the user tier and the data/business tier of the application from a design perspective.
Not really. You can safely give out the ID as long as you have some way of verifying that value when accepting it back from the user. Plus, just giving the ID in the url doesn't mean you have to give away the column or table name, and almost guaranteed every website will use a numerical ID somewhere, so it doesn't really give much away.

edit: as a perfect example, phpbb regularly uses just a userid to identify users, and this is given out to all other users in the member list pages. aside from that, the whole phpbb table structure and code is available for all to see. has it made phpbb less secure? no, it just means their code is up to scratch!

And re separation, doesn't it just make things difficult if you ever need to trace problems through your application, or look through any log files, or manually query the databases? Sticking to a numerical ID will be far easier, and give better performance on your database!

You can make a case that it's ok for revealing internal ID's. You have to judge the security concerns of your own app and what would be the consequences if someone just plugged in an "inappropriate" ID. Obfuscation is just another technique to make it more difficult to guess. With obfuscation - people with knowledge of hashing techniques might be able to figure out what you're doing, but without it, almost anyone with any computer savvy can figure it out.

This is exactly what happened to hotmail a few years back. They had a mailbox ID in their URL and sure enough they had forgotten to do a proper security check of who was accessing a mailbox. An obfuscated ID would have helped them in this case, it would have limited exposure because really it was very easy to just plug in any number you wanted.

Can you guarantee there are no holes in your own app that can't be exploited?

In terms of your point about separation - it's not much more difficult really. It took me about an hour or two to retrofit about 20K lines of code to use obfuscation. It does present some inconvenience, but again it's pretty minor.

But I'm risk adverse about this stuff. I guess that's what happens after designing fraud detection systems for banks.

Cheers,
Steve
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Numerical formula from a string?

Post by requinix »

Wait... So you're saying that revealing internal ID numbers is a security risk?

What about, oh I don't know, practically everything on the web? They're all doing it wrong?

Code: Select all

http://forums.devnetwork.net/posting.php?mode=reply&[color=blue]f=1[/color]&[color=blue]t=109225[/color]
http://rss.cnn.com/~r/rss/cnn_tech/~3/[color=blue]m_HeT892QDo[/color]/index.html
http://yro.slashdot.org/story/09/11/21/[color=blue]0354209[/color]/RFID-Fingerprints-To-Fight-Tag-Cloning
http://www.msnbc.msn.com/id/[color=blue]34075908[/color]/ns/us_news-washington_post/
And I'm just getting started.


Obfuscation is not security. If you're concerned that someone "just plugged in an inappropriate ID" then it means your application is insecure. Web security point #1: anything and everything that isn't directly generated by your code is inherently unsafe. If you don't check that the requested resource should be viewed by the user then that's your fault.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Numerical formula from a string?

Post by Apollo »

steve_the_canuck wrote:They are currently only as sophisticated as the example (x*200000+3), etc. I basically use it to obfuscate ID's of database rows when they are needed for display in a URL or on a page.
First of all I agree with the above reactions. Obfuscation is not security. Rather than hiding or obfuscating your IDs, you're better off by simply making your code safe against injection or otherwise manual tempering.

Having said that, I'd still like to answer your question, cause a scenario like this may occur in different forms and circumstances. You could do something like this:

Code: Select all

function getHash( $value, $formula )
{
    switch($formula['method'])
    {
        case 1: return dechex( $value*$formula['multiplier'] + $formula['delta'] );
        default: return 0;
    }
}
 
$myMethod = array( 'method'=>1 , 'multiplier'=>200000 , 'delta'=>3 );
 $hash = getHash( $id , $myMethod );
// $hash is now $id*200000+3
If you come up with other hashing algo's later on, you can add a case 2: formula and put whatever parameters you require in the array. Completely safe, yet dynamic and keeps all possibilities open.

Of course, an OOP approach would be more appropriate here, as the idea of customizing (and possibly later on enhancing) your hashing algorithm typically smells like 'overriding functions'.

Code: Select all

class HashMethod // base class with dummy hashing
{
    public function getHash( $value ) { return 0; }
};
 
function DoHashing( $value, $hashMethod ) // this uses a HashMethod instance to perform hashing
{
    return $hashMethod->getHash($value);
}
 
// now implement your own hashing by inheriting from HashMethod
 
class MyHashMethod extends HashMethod
{
    public $multiplier,$delta;
    function __construct( $m, $d )
    {
        $this->multiplier = $m;
        $this->delta = $d;
    }
    public function getHash( $value ) { return dechex( $value*$this->multiplier + $this->delta ); }
};
 
$myHashing = new MyHashMethod(200000,3);
$hash = DoHashing($id,$myHashing);
// $hash is now $id*200000+3
I'm sure you get the idea.
steve_the_canuck
Forum Newbie
Posts: 8
Joined: Fri Jan 30, 2009 6:36 pm

Re: Numerical formula from a string?

Post by steve_the_canuck »

tasairis wrote:Wait... So you're saying that revealing internal ID numbers is a security risk?

What about, oh I don't know, practically everything on the web? They're all doing it wrong?

Code: Select all

posting.php?mode=reply&[color=blue]f=1[/color]&[color=blue]t=109225[/color]
http://rss.cnn.com/~r/rss/cnn_tech/~3/[color=blue]m_HeT892QDo[/color]/index.html
http://yro.slashdot.org/story/09/11/21/[color=blue]0354209[/color]/RFID-Fingerprints-To-Fight-Tag-Cloning
http://www.msnbc.msn.com/id/[color=blue]34075908[/color]/ns/us_news-washington_post/
And I'm just getting started.


Obfuscation is not security. If you're concerned that someone "just plugged in an inappropriate ID" then it means your application is insecure. Web security point #1: anything and everything that isn't directly generated by your code is inherently unsafe. If you don't check that the requested resource should be viewed by the user then that's your fault.
As I said, it depends on what you're doing. You are quoting a bunch of news sites and forums. In a case like that, I wouldn't care if the internal ID's were exposed and in fact I might encourage it.

What if I was to put in a URL like this:

Code: Select all

http://www.myrewards123.com/customer/12 ... /view.html
There are a number of security considerations here. What if I am to send the URL to technical support, or put it in an email, or it is simply contained in my browser history for someone to access? There is a security risk in each case. Suddenly information about my account is listed in the URL. Is 90505550 the account number or an internal database ID? In either case, then that's more valuable information that could be used.

It goes without saying the code should check that only an authorized user should be able to view the URL. I have numerous checks in my applications. But still, checks are sometimes missed and I would say obfuscation doesn't hurt in these cases too because it's the most basic level of potential misuse of information.

My general rule is - obfuscate if the data "belongs" to someone and is not intended for public use, and if there is any potential for misuse.

Steve
User avatar
iankent
Forum Contributor
Posts: 333
Joined: Mon Nov 16, 2009 4:23 pm
Location: Wales, United Kingdom

Re: Numerical formula from a string?

Post by iankent »

steve_the_canuck wrote:My general rule is - obfuscate if the data "belongs" to someone and is not intended for public use, and if there is any potential for misuse.

Steve
If somebody intends to misuse then obfusication does nothing to help. If the data belongs to somebody and not intended for public use, then create additional data that means nothing that is for public use, i.e. an internal database id instead of the customer id. that way there is no useful link between the original data and the public data like there is with an obfusicated string.

the hotmail issue is a non-issue really. as you say, they forgot to do some basic security checks, so that was their fault. and my code probably isn't 100% perfect, but whose is. still, using obfusication is not a safe alternative to replacing the private data altogether. all you'd need to do is add additonal id columns to your tables and output those instead
steve_the_canuck
Forum Newbie
Posts: 8
Joined: Fri Jan 30, 2009 6:36 pm

Re: Numerical formula from a string?

Post by steve_the_canuck »

iankent wrote: If somebody intends to misuse then obfusication does nothing to help. If the data belongs to somebody and not intended for public use, then create additional data that means nothing that is for public use, i.e. an internal database id instead of the customer id. that way there is no useful link between the original data and the public data like there is with an obfusicated string.

the hotmail issue is a non-issue really. as you say, they forgot to do some basic security checks, so that was their fault. and my code probably isn't 100% perfect, but whose is. still, using obfusication is not a safe alternative to replacing the private data altogether. all you'd need to do is add additonal id columns to your tables and output those instead
That depends - you can use quite a bit more sophistication in your obfuscation. You can make the URL's generated be time dependent, where you change the hash every 5 or 10 minutes. That really reduces the window of opportunity for misuse.

Yes, you could simply output your database ID as an additional column for simple hash algorithms. But I feel this entire line of reasoning is based on thinking like a programmer. Consider that you have to go through the step of figuring out the mapping/hash algorithm, knowing what the hexadecimal number system is - that is probably less than 1% of my user base. On the other hand, if I do nothing, I leave it wide open to anyone who wants to start typing in numbers - I am an easier target.

There's a kid I know who I have been trying to dissuade from hacking for a while now. But he actually targets other hackers who don't realize he's hacking them. There are varying degrees of stupidity in the hacking world. For sure there are the hackers that will find their way into my application, guess my obfuscation techniques, etc. But I think for every one of those there are just looking for easy prey.

Steve
Post Reply