Re: How to secure this

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



John Allsopp wrote:
Hi everyone

There may be blinding bits of total ignorance in this so don't ignore the obvious.

This is a security question, but a sentence of background: I'm writing software for a mapping/location website and I want to be able to provide something others can plug into their website that would display their map.

So I'm providing a URL like http://www.mydomain.com?h=300&w=250&username=name&password=password

The idea is they can define their own height and width and it plugs in as an iframe.

That takes the username and password and throws it over web services to get back the data from which we can create the map.

My question (and it might be the wrong question) is how can I not give away the password to all and sundry yet still provide a self-contained URL?

MD5() (or SHA()) hash the information and supply that along with the settings. Then you know it was generated by your site. So you can do the following:

<?php

$height = 300;
$width = 250;
$username = 'username';
$key = md5( "SECRET_SALT-$heigh-$width-$username" );

$url = "http://www.mydomain.com?h=$height&w=$width&username=$username&key=$key";;

?>

Then when you get this URL via the iframe, you re-compute the expected key and then compare it against the given key. Since only you know the SECRET_SALT value then nobody should be able to forge the key.

Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux