NYCPHP Meetup

NYPHP.org

[nycphp-talk] Re: [PHP] Second Question regarding PHP and ASP

Phil Powell soazine at erols.com
Sat Jan 4 19:34:04 EST 2003 

The first explanation makes sense, the second you completely lost me, sorry,
I understood none of it :(

Phil

----- Original Message -----
From: "Gerald Timothy Quimpo" <gquimpo at sni-inc.com>
To: "NYPHP Talk" <talk at nyphp.org>
Sent: Saturday, January 04, 2003 7:30 PM
Subject: [nycphp-talk] Re: [PHP] Second Question regarding PHP and ASP


> On Sunday 05 January 2003 07:43 am, Phil Powell wrote:
> > I tried using REQUEST_URI but I didn't get the results I wanted.  How
will
> > process.asp know that process.php called it in order to do what it
should
> > do?
>
> if you can get $_SERVER["REMOTE_ADDR"] or $HTTP_REMOTE_ADDR
> and if you can trust it (not only that it's right, but also that there are
no
> man in the middle attacks or other scripts on the client that can pretend
> to be your script) then you could just check that the request is coming
> from the right IP.
>
> alternatively, you could use hashes that change from one invocation
> to the next (to avoid replay attacks).  the server and the client
> should both have a secret passphrase (perhaps even a whole set
> of them, one for each day, and generated every month or so).
>
> on the client (process.php) randomly generate a string, e.g., $randstr.
> create a hash based on the secret passphrase and the randstr, e.g,
>
> $hash=makeMyHash($passphrase.$randstr); /* use whatever hash
>    function you want: openssl, mhash, mcrypt or whatever you
>    use */
>
> send the randstr and the hash along with the rest of the data.  on the
> server side, process.asp takes the randstr, takes the hash as above,
> and compares the hash generated with the hash passed in.
> if they don't match, don't reply.  if they match, then the request comes
> from process.php (unless you're really paranoid, in which case, add
> some more hoops for process.php to jump through :).
>
> tiger
>
> --
> Gerald Timothy Quimpo  tiger*quimpo*org gquimpo*sni-inc.com tiger*sni*ph
> Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78"
>                    Veritas liberabit vos.
>                    Doveryai no proveryai.
>
>
> --- Unsubscribe at http://nyphp.org/list/ ---
>
>

More information about the talk mailing list