On Tue, 05 Sep 2006 16:04:07 +0700, Peter Lauri wrote:
> Hi,
>
>
>
> I have bumped into a problem. I need to use a web service that is located on
> server B from server A. The server B will execute a script when the web
> service is accessed and an email is sent as an parameter. The problem is, if
> I only have the email as incoming parameter, anyone can just figure out the
> url for the web service, the name, and then just send the email to that
> address.
>
>
>
> To make this a little bit secure I setup so two parameters are sent, the
> email and a confirmation code. First I was just thinking to basically have a
> password sent with, and if that is correct just execute the script. However,
> due to server restrictions I can not run it on HTTPS, so that also looses
> value.
>
>
>
> So this is how I solved it:
>
>
>
> I send a parameter with the request that is the email, some extra characters
> and then MD5 on that. I do this on server A and then server B just checks if
> it is the same resulting string. If so, we know it comes from server A
> because that server is the only one that knows the extra characters used.
>
>
>
> $authstring = md5("asdf".$email."fdsa");
>
>
>
> Would this be hard to crack assuming that the one who cracks does not know
> the characters that are used to generate the $authstring?
>
>
>
> Maybe someone have experience with this? Or just a comment?
This seems the easiest for me:
- Determine IP address of Server A.
- At Server B:
<?php
if ($_SERVER['REMOTE_ADDR'] != SERVER_A_IP) {
die('Get lost, will you.');
}
.... rest of code ...
How's that? You could, of course, still add the md5 check, which sounds
pretty good.
HTH
Ivo
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
