#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Location
    Adelaide, South Australia
    Posts
    15
    Rep Power
    0

    Md5 hash / link id's


    Hi All,


    ok..I've got a table which has a repeated region in it that lists all open support tickets in a sql database on the end row I have a hyperlink like this:

    Code:
    <a href="tickets_view.php?id=<?php echo $row_support_tickets['id'];?>" />view</a>
    I'm wanting to make this a bit more secure because i'm using this method with other things like listing domains...and I don't want someone to be able to just change the id in the url and see other customers domains/support tickets.

    So I thought maybe this would work:

    Code:
    <a href="tickets_view.php?ticketid=<?php echo md5($row_support_tickets['id']);?>" />view</a>
    But that produced another problem because in ticket_view.php I have this:

    PHP Code:
    <?php echo $_GET['ticketid'] ; ?>
    - To get the ticket in the url passed from the previous page via the hyperlink.

    I'm kinda out of ideas now as I need to use that ticketid (unhashed and unmodified) for other things on ticket_view.php.....


    Any help would be greatly appreciated.

    Thanks
    Ben
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,072
    Rep Power
    9398
    Putting ID numbers in the URL is perfectly fine. Build your pages so that the user is only allowed to see content they're allowed to. Let them change the URL to their heart's content: it won't do them any good because there is security in place to make sure they can't see things they shouldn't.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,466
    Rep Power
    594
    Use something else. MD5 is essentially a 1 way encryption. You need to use mcrypt_encrypt and mcrypt_decrypt. Depending on how secure you want it. Alternatively you can put the MD5 encrypted id in your database and use it for your queries rather than the unencrypted id.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  6. #4
  7. For POny!
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Location
    Amsterdam
    Posts
    416
    Rep Power
    115
    apart from maybe letting them log in, you might want to salt the hash btw because if all you do is a pure hash of a numeric id it's rather easy to figure out what the page hash will be no matter what hash you use.

    PHP Code:
    $id somehash($id.$randomsalt); 
    Last edited by aeternus; December 30th, 2012 at 09:18 AM.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Location
    Adelaide, South Australia
    Posts
    15
    Rep Power
    0
    Originally Posted by requinix
    Putting ID numbers in the URL is perfectly fine. Build your pages so that the user is only allowed to see content they're allowed to. Let them change the URL to their heart's content: it won't do them any good because there is security in place to make sure they can't see things they shouldn't.
    Hey requinix,

    Thanks for your suggestion, I've done exactly as you've said. on ticket_view.php it still gets the ticketid passed through plaintext in the url but if that ticket id doesnt match up to the clientid that opened it an error message shows simply saying "Incorrect Ticket ID! Click here to go back to the ticket list"

    Thanks for your help and thanks to everyone else for your input it's muchly appreciated.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    just to clarify this a bit more:

    Whenever you find yourself trying to hash/encrypt/obfuscate something, it's almost always a bad idea (except for established practices like hashing user passwords). Security isn't as easy as "I need this to be 'secret', so let me base64_encode(md5(crypt())) that real quick". Hashing, encryption etc. all have a very limited purpose and are difficult to implement properly, so don't try to make up your own home-made security protocol. It's not gonna work. Instead, think deeply about what you actually want to do, and if you still think hashing/encryption is the right approach, then use an established standard solution.

    You want to prevent people from accessing certain content? -> use a login system

    You want to make the ticket IDs hard to guess? -> do it like they do with session IDs and use a cryptographically secure random number generator

    etc.

    Use real solutions that have actually been proven to work for this specific problem, not stuff that you've read about in some sh*tty tutorial (MD5 is pretty much dead) and that gives you a vague feeling of "this will somehow make my data secure".

    Sorry, but using a hash for this is like putting condoms in a car to help in car crashes, because you've read somewhere that "condoms will protect you".
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Location
    Adelaide, South Australia
    Posts
    15
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    just to clarify this a bit more:

    Whenever you find yourself trying to hash/encrypt/obfuscate something, it's almost always a bad idea (except for established practices like hashing user passwords). Security isn't as easy as "I need this to be 'secret', so let me base64_encode(md5(crypt())) that real quick". Hashing, encryption etc. all have a very limited purpose and are difficult to implement properly, so don't try to make up your own home-made security protocol. It's not gonna work. Instead, think deeply about what you actually want to do, and if you still think hashing/encryption is the right approach, then use an established standard solution.

    You want to prevent people from accessing certain content? -> use a login system

    You want to make the ticket IDs hard to guess? -> do it like they do with session IDs and use a cryptographically secure random number generator

    etc.

    Use real solutions that have actually been proven to work for this specific problem, not stuff that you've read about in some sh*tty tutorial (MD5 is pretty much dead) and that gives you a vague feeling of "this will somehow make my data secure".

    Sorry, but using a hash for this is like putting condoms in a car to help in car crashes, because you've read somewhere that "condoms will protect you".
    Thanks for your reply.

    1. There is a login system
    2. The ticket id's are hard to guess, they're randomly generated and the chances of someone guessing one is probably impossible but as I mentioned before I'm not only using this for tickets, I'm also using it for other things.
    3. The only reason I initially thought md5 (and I did consider sha1) was that it would essentially "cloak" the plaintext id.

    I didnt give more information as I just wanted a simple answer, which is what Requinix and the other guys gave me.

    Thanks.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by ben.y
    3. The only reason I initially thought md5 (and I did consider sha1) was that it would essentially "cloak" the plaintext id.
    I know. But apart from all the other problems, there's a big fallacy: Once I've figured out that you're using MD5 (which shouldn't be too hard), what prevents me from simply converting the "real IDs" into the "cloaked ID's" exactly like you do in your application?

    I'm not "blaming" you for overlooking this, I'm saying that you shouldn't invent your own security protocols at all -- exactly because of "stupid" mistakes like this. There's a reason why things like TLS/SSL have taken years of development and testing and groups of experts working on it. You won't achieve the same thing as a layman in 5 minutes.



    Originally Posted by ben.y
    I didnt give more information as I just wanted a simple answer, which is what Requinix and the other guys gave me.
    Yes. I was just trying to explain it and put it in a broader context, so that it's not just some solution you copy and paste somewhere from the Internet.
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Location
    Adelaide, South Australia
    Posts
    15
    Rep Power
    0
    Originally Posted by Jacques1
    I know. But apart from all the other problems, there's a big fallacy: Once I've figured out that you're using MD5 (which shouldn't be too hard), what prevents me from simply converting the "real IDs" into the "cloaked ID's" exactly like you do in your application?

    I'm not "blaming" you for overlooking this, I'm saying that you shouldn't invent your own security protocols at all -- exactly because of "stupid" mistakes like this. There's a reason why things like TLS/SSL have taken years of development and testing and groups of experts working on it. You won't achieve the same thing as a layman in 5 minutes.

    Yes. I was just trying to explain it and put it in a broader context, so that it's not just some solution you copy and paste somewhere from the Internet.


    Sorry, I've been up for 36 hours. I didn't mean to snap.
    You're right, there's nothing to stop you from jumping on a website to reverse the md5'd ticketid.


    Thanks for your help and suggestions

    Comments on this post

    • Jacques1 agrees

IMN logo majestic logo threadwatch logo seochat tools logo