NYCPHP Meetup

[Gerald Timothy Quimpo]

On Sunday 05 January 2003 07:43 am, Phil Powell wrote:
> I tried using REQUEST_URI but I didn't get the results I wanted.  How will
> process.asp know that process.php called it in order to do what it should
> do?

if you can get $_SERVER["REMOTE_ADDR"] or $HTTP_REMOTE_ADDR
and if you can trust it (not only that it's right, but also that there are no
man in the middle attacks or other scripts on the client that can pretend
to be your script) then you could just check that the request is coming
from the right IP.

alternatively, you could use hashes that change from one invocation
to the next (to avoid replay attacks).  the server and the client
should both have a secret passphrase (perhaps even a whole set
of them, one for each day, and generated every month or so).

on the client (process.php) randomly generate a string, e.g., $randstr.
create a hash based on the secret passphrase and the randstr, e.g,

$hash=makeMyHash($passphrase.$randstr); /* use whatever hash
   function you want: openssl, mhash, mcrypt or whatever you
   use */

send the randstr and the hash along with the rest of the data.  on the 
server side, process.asp takes the randstr, takes the hash as above,
and compares the hash generated with the hash passed in.
if they don't match, don't reply.  if they match, then the request comes
from process.php (unless you're really paranoid, in which case, add
some more hoops for process.php to jump through :).

tiger

-- 
Gerald Timothy Quimpo  tiger*quimpo*org gquimpo*sni-inc.com tiger*sni*ph
Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78"
                   Veritas liberabit vos.
                   Doveryai no proveryai.