Re: MD5 & bot Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote:
> hmm, why don't you md5 more then once..
> 
> for example, use a condition that will change with every visitor. like 
> the third num in $_SERVER['REMOTE_ADDR'];  or something of the sort.  
> then make a loop..
> 
> say the third num in my ip address is 5
> 
> the person that visits after me would get my value, and say you were 
> right before me and yours was a 7
> 
> the md5 check for me would look like
> 
> md5(md5(md5(md5(md5(md5(md5($value)))))));
> 
> and for the person right after me
> 
> md5(md5(md5(md5(md5($value)))));
> 
> this way for each visitor, a piece of the puzzle is changed. just an 
> idea, and have no idea if it would even work for what your doing...


Ugh, don't do that... it's no more differentiated than doing the
following which is cleaner:

    md5( $_SERVER['REMOTE_ADDR'].$value );

The above uses the IP address as a salt. But better yet, since the above
is still prone to abuse by the same server making repeat attempts,
create a multi-salt system...

    $salt1 = 'YoUR SeKreT SaLT';
    $salt2 = time();
    $salt3 = uniqid();

    $md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value );

Then in your form you include the value of $salt2, $salt3, and $md5. In
this way only those who know the secret salt can rebuilt the md5 to
check validity. Presumably you won't allow the same md5 to be used
twice. The time is tracked so that you can limit validity of the salt
for a period of time. So if the time on your server is more than 20
minutes ahead of the time for the submission, you can feel free delete
entries ion your database since the time has expired. This allows you to
not need to track all md5s ever generated. Only the last X minutes of
md5s.

If you implement this, Tijnema won't be able to break it.

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux