I would like to generate encrypt data and send it from http://localhost:8888/A/B to http://localhost:8888/C/D in json format.
What is the best way possible?
Users will be using only http://localhost:8888/A/B, so when ever a request comes in for a http://localhost:8888/A/B a hash key will be generated and sent to http://localhost:8888/C/D where the database query will happen before doing that it has to decrypt the data and check if the user is a valid one.
Use cURL to send any data anywhere. It is very flexible and configurable for any case. You can use either POST or GET methods to send data.
you're referencing two different things.. hashing != encrytping. Hashing is one way, whereas encrytpion is two directional. use an ajax call to a codeigniter controller.
Related
I am trying to identify the source of posted data in PHP and would like to verify if the date is being posted from within my Android App. Is there any way to verify this easily?
To verify the data, I generate a checksum based on different values using my own algorithm. On the server side, I decode this to verify the posted data. This way, users cannot POST different data using the same checksum. They will need to know the algorithm.
i created script which will count child's div for some certain div with this command
$('#content').children().size()
by this count i know to fetch from 12 to 18 from mysql if this count is 12.
with firebug i can find out this count which will post to my script and i thought is there any way to increase this size to get more details from my database in some way?is it secure to pass such data from ajax?
2-can someone post data or simulate posting in any way?for example simulate data which will post by form like this data=2&foo=3&bar=4 and cheating on server?
check this link,it's can be useful
check for authentication and authorization
Encrypt or add salted hash checks to data exported to the browser for resubmission
treat any data received in the request as potentially dangerous
use HTTPS where its appropriate
transform data leaving your PHP using the right method for were its going (htmlentities, mysql_real_escape_string
transform data entering your script using the right method based on its origin (e.g. json_decode)
As per my comment, once more as answer.
'Safe' is relative. Basically AJAX is nothing but a plain HTTP request based on JavaScript. So it's not any more or less safe than one like that. To make it 'safe' you could use HTTPS to encrypt the connection. That way, you should be able to prevent injection and stuff. Regarding the cheating...if one really wants to, he can. The only thing you can do, is to check the parameters carefully and therefore detect irregularities. Maybe add a hidden checksum, which only allows for particular options.
Say I have one form that changes its content (fields and options) based on the user's current state in a multi-state process. Say that it always leads to the same action, which means the action needs to figure out what event occurred and on which entity.
<form action='/somecontroller/someaction' method='post'></form>
What is the most common way of transferring this sensitive data to the controller? I'm reluctant to even suggest hidden fields, as those can be changed by anyone. Two way encryption of some sort which is then decrypted in the action and used to determine the rest, server-side? Perhaps serialize sensitive info, encrypt it, and put it in a single hidden field on the client side of the form, then decrypt and unserialize in the controller?
<?php
$hiddenData = unserialize($this->decrypt($_POST['hiddenData'], SALT));
unset($_POST['hiddenData']);
$data = array_merge($hiddenData, $_POST);
...
Basically - how do I send some data with a form securely without exposing it to outside alterations, that is, without making sure something can go wrong if it is altered? Is there some kind of best practice regarding this?
You never send that data to the client at all.
Store it server-side within the session management capability (for PHP, you can access that using the $_SESSION variable) and only send the session token (long random number, PHP has routines for generating/maintaining good session identifiers as well) to the client (typically done in the form of a cookie). For keeping track of data in a multi-step process (including the state that the user is in), you never want to expose that to the client.
Interesting question. What I would do is a combination of the following (if sessions are not a solution for you):
employ a AES_256 / modifyed AES_256 crypt/decrypt on a serialized representation
make a MD5 + SALT (or similar) hash of the variables that you could compare with a stored hash to determine if any manipulation took place
use something like the user's IP as SALT to generate the hashes or for the crypt functions, thus if a user's IP should change you'll know that (beware: an IP address might change under some circumstances)
as i want to send some sensitive information like 'user id' through ajax which is the best way to transfer them. right now i am just concatenating with the html tag's ids and then splitting and using them . please suggest a better way . i hope there must be one for this
The best way to transfer identification values (such as user_id) is to not transfer them at all. If you can, I'd grab the current user_id from a session, that way it isn't possible for a user to change that "user_id" to immatate someone else.
However if this option doesn't fit your application, you can always hash the user_id on the server side, such as:
md5($user_id . "randomsalthere");
Then when you check the request, see if:
$_POST['secret_hash'] == md5($_POST['user_id'], 'randomsalthere');
Links:
Salt
Hash
PHP Sessions
Would POST work for you? Only the User would be able to sniff out the POST parameter,
The most secure way would be to use https, regardless whether you are using POST or GET.
Another question that comes to mind: Do you really need to send this information, canĀ“t you just keep it on the server in a SESSION?
JQuery has some encryption plugins. You can encrypt your values before sending them, and decrypt them in php.
Here's the story:
I have to pass some classified information from one script to another script. In the first script I need to encrypt the data first and then I have to attach the encrypted data into a GET request and send it to another script. The URL would look like this:
http://mydomain.com/mysecondscript.php?secret={encrypted stuff}
My current encrypt method is based on base64. The problem with this method is, that if I have a lot of stuff to encrypt, the encrypted result could get very long. If it's longer than 255 characters or so, the second script will not be able to decrypt it because the string will be chopped.
So I'm looking for a better encryption method, that can control the length of the encrypted result.
DANGER!
Base64 is NOT a form of encryption, but encoding. Base64 encoded strings are easy to recognize and trivial to decode. Base64 is used to encode data so they can be safely transmitted across non-binary safe medium (such as URLs and emails), but they do not hide the data itself.
What you need to do is encrypt the string using AES (see PHP's mcrypt), then base64 encode it. This of course will not solve your length problem. The question is pretty vague, but what you can do is:
Use POST instead of GET.
Store data in a database or a file which both scripts can access. Then just generate a sort of identifier and send it with the URL. The receiving script can use this identifier to retrieve the data. As an added bonus you won't have to send classified data with the URL.
EDIT: Now that I read your question more carefully, it seems like both scripts are sitting on the same server. In this case there is no reason whatsoever to pass this data via HTTP.
No matter how secure your encryption scheme is you will still need to base64 or URL-encode the result which, you have discovered, will likely exceed 255 characters. The best you can do is compress the data, then encrypt it, then encode it. It will still probably fail. You need to find an alternative to GET.
Why does it have to be transmitted in the URL at all? Save it to disk, put it in the database, add it to a message passing queue...
You can use an opaque token in the URL to identify which thing you're talking about, and then turn that token back into a useful thing on the other end by querying whatever storage mechanism you choose.
If this is sensitive information, base64 should not be used as it can be decoded easily. If you want the information to be securely encrypted, you shoule use PHP Mcrypt (link). Much more secure and can support encryption of much longer strings. Best of all, you set your own key and it cannot be decrypted without that key. It make require a tiny bit more work, but it will be safe. Also, if you are passing multiple variables that way, you can set them into an array, serialize and encrypt the array, pass the array via GET, and then decrypt/unserialize. It's as simple as that. One last thing, there are also some classes out there that will make Mcrypt a lot easier to use. May want to google to find one, it will make your life easier.
You can use MD5 to create a hash of the id so you get something like:
http://www.demo.com/displaycommittees.php?id=81dc9bdb52d04dc20036dbd8313ed055
In your db query you can do a select on the users table including a WHERE statement that also hashes the id column like:
WHERE MD5(id) = $_GET[id]
This works fine and i have always applied this algorithm. for instance assuming the actual value of the encrypted id 23, if you try to put 23 in place of the encrypted(hash) code it will not work( no result will be display).
Note: Reasons are best known to those who need a solution, so the question "why" may not come in for those who need it. they only ask for a solution and if it works fine for them, nice. But for transaction application (e.g cash transaction or transaction pins) please do avoid passing sensitive information via URL, because it can easily be cracked.
See more at: http://softideass.blogspot.com/