indeed. i was just throwing out the idea of ever changing values.
Robert Cummings wrote:
On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote:
hmm, why don't you md5 more then once..
for example, use a condition that will change with every visitor. like
the third num in $_SERVER['REMOTE_ADDR']; or something of the sort.
then make a loop..
say the third num in my ip address is 5
the person that visits after me would get my value, and say you were
right before me and yours was a 7
the md5 check for me would look like
md5(md5(md5(md5(md5(md5(md5($value)))))));
and for the person right after me
md5(md5(md5(md5(md5($value)))));
this way for each visitor, a piece of the puzzle is changed. just an
idea, and have no idea if it would even work for what your doing...
Ugh, don't do that... it's no more differentiated than doing the
following which is cleaner:
md5( $_SERVER['REMOTE_ADDR'].$value );
The above uses the IP address as a salt. But better yet, since the above
is still prone to abuse by the same server making repeat attempts,
create a multi-salt system...
$salt1 = 'YoUR SeKreT SaLT';
$salt2 = time();
$salt3 = uniqid();
$md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value );
Then in your form you include the value of $salt2, $salt3, and $md5. In
this way only those who know the secret salt can rebuilt the md5 to
check validity. Presumably you won't allow the same md5 to be used
twice. The time is tracked so that you can limit validity of the salt
for a period of time. So if the time on your server is more than 20
minutes ahead of the time for the submission, you can feel free delete
entries ion your database since the time has expired. This allows you to
not need to track all md5s ever generated. Only the last X minutes of
md5s.
If you implement this, Tijnema won't be able to break it.
Cheers,
Rob.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php