Re: Help with some OOP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



JamesBenson wrote:
Hello all, Ive been working with PHP for my websites for a few months, just attempted to build my own class, after reading all this stuff about automated robots and XSS attacks etc decided to step up security a bit, my result is an attempt to create a class for using the token method within web forms, not even sure whether its the real thing but my work is below, some advice on whether its ok or what needs improving would be appreciated, thanks.


<?php
// PHP 4.3.11


class SecretToken {

    var $_returnCode;


    function GenerateToken() {
     if(!isset($_SESSION['token'])) {
      session_regenerate_id();

I wonder if regenerating the session id here is useful.
I understand doing it on log off/on but whats the connection
with creating a 'submit token'?

      $new_token = md5(uniqid(rand(), true));
      $_SESSION['token'] = $new_token;
     }
    }


    function VerifyToken($post) {
     if(isset($_SESSION['token'])) {
      $saved_token = ($_SESSION['token']);
     }

I think you should be unsetting $_SESSION['token']
round about here in order to make sure that each
submit a user does requires a different/new token.

I am assuming you have implemented this class in order
to trap double submits (as well as increasing the
security of you submits somewhat).

at the moment the user gets a single token for
ALL submits he does within a given session.



     if($post == $saved_token):
      $this->_returnCode = 1;
      unset($_SESSION['token']);
     else:
      $this->_returnCode = 0;
     endif;
    }


    function ReturnCode() {
## Result will be 1 for success or 0 for fail
      return $this->_returnCode;
    }


you can probably drop the ReturnCode() function
and just have the 1/0 returned directly from VerifyToken() e.g:

if (SecretToken::VerifyToken( $myTok )) {
	// lets do a submit
} else {
	// evil hacker, set the dogs on him.
}


// end class definition
}
?>


Basically in my web form I call GenerateToken firstly, then when the forms been submitted I then call VerifyToken and finally check return codes using a switch statement, seems to work,

sounds fine to me.
rgds,
jochem



TIA
James Benson


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux