#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,660
    Rep Power
    171

    PHP encrypt $_GET


    I am pretty sure it is bad practice to send login details with GET. But if for some reason there is no access to SSL, does such approach make it safe to send details with GET?
    PHP Code:
    $password=sha1($password); //already sha1 password from the database
    $email_encsubstr($email2,4);// Get a non predictable  value from email
    $key md5($email_enc); //twist it more
    $password $key.$email;
    $email sha1(md5($email.$password));

    curl_setopt($chCURLOPT_URL"http://www.webmoosh.com/REST/responce.php?email=".$email."&password=".$password); 
    And in responce.php use the same rules to check it matches.
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,054
    Rep Power
    9398
    If you were to hash the password appropriately, yes it could work. But now the password is simply the new hashed thing: I could sniff the connection, see the hashed password, and use that in my own custom request.

    Which is why I told you last time to use the password and information about the request itself in the hash. Then even if I did grab the password hash I couldn't use that in my custom request (because the "information about the request itself" has changed and the hash is incorrect).
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,660
    Rep Power
    171
    Originally Posted by requinix
    If you were to hash the password appropriately, yes it could work. But now the password is simply the new hashed thing: I could sniff the connection, see the hashed password, and use that in my own custom request.

    Which is why I told you last time to use the password and information about the request itself in the hash. Then even if I did grab the password hash I couldn't use that in my custom request (because the "information about the request itself" has changed and the hash is incorrect).
    Information in the request is the same per user. I only retrieve users data based on the email, password and the data range of the data they request. So a user may ask for exact same date range data many times.

    Ps. I wonder how it is possible to sniff the conneciton and see the password?
  6. #4
  7. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,054
    Rep Power
    9398
    Maybe the end user has a really insecure connection? Don't worry about imagining how it's possible and just assume it's actually happening.

    Then use something else that's not repeatable: the time. Make the request include the Date: HTTP header and use that in the request signature. (Or you can put it in the query string but that's not as cool.) On the server side, validate that the date is close to what it thinks the time is (say, 5 minutes) and if so use the date provided to calculate the signature.

    Here's an example of how it works but not how you should actually do it.
    PHP Code:
    // client
    $date date(DATE_RFC822);
    $hash sha1($email $password $date);
    // send a request to responce.php?email=$email&hash=$hash with a Date: $date header


    // server
    $date $_SERVER["HTTP_DATE"];
    if (
    abs(time() - strtotime($date)) > 300) {
        
    // stop: request expired
    }
    $hash sha1($_GET["email"] . /* password */ $date);
    if (
    $hash != $_GET["hash"]) {
        
    // stop: invalid hash
    }
    // continue... 
    Last edited by requinix; March 18th, 2013 at 01:29 AM. Reason: couple typos
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    In case it's not obvious, $password in that example is the hash of the password calculated on the client side, and /* password */ is the hash of the password retrieved from the database on the server side.

    (alternatively, $password could be some api token instead of an actual password - in that case, it shouldn't be allowed to be used for login via any sort of front-end)
    Last edited by E-Oreo; March 18th, 2013 at 12:56 AM.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,660
    Rep Power
    171
    Wait a minute! Have you seen this: 2a2e80820af27ed39227c873a73d556a4c4a2696Are you telling me if someone does not know the value for $password and the algorhythm to create $email_enc can still create $final_email variable?
    PHP Code:
    $email "pmdg3@yahoo.com.au";
    $password "pascal";
    $email_encsubstr($email2,4);
    #########
    #########
    $password=sha1($password);
    $email_encsubstr($email2,4);
    $key md5($email_enc);
    $password $key.$email;
    $final_email sha1(md5($email.$password));
    curl_setopt($chCURLOPT_URL"http://www.webmoosh.com/REST/responce2.php?update_value=".$final_email); 

    //$final_email = 2a2e80820af27ed39227c873a73d556a4c4a2696 
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    an attacker does not need to know $password or $email or whatever magic you might do to generate the hash. All he/she needs is the final value -- and that's what you send out into the world unencrypted.

    In other words, what you have there is a plaintext password system -- with some hocus pocus on top.

    Don't try to invent your own security protocol. It doesn't work. There's a reason why protocols like TLS/SSL have been developed, peer-reviewed and tested by actual cryptographers over a long period of time. It's because security isn't as easy as "I'm gonna take the password, append my wife's birthday, hash it 13 times, reverse it -- and that's my super secret, unbreakable encryption". This might work in some bad Hollywood movie, but not in reality.

    As a layman (which we all are), you will fail. Some people already get the basics wrong, some people screw up some detail.

    So always go with an established solution that actually works and isn't just the 412,156th failed attempt of "security by obscurity". Why can't you use SSL? If you cannot afford a mainstream certificate, you could use a self-signed one. That's not perfect, but it's far, far better than anything you (or other forum members) will ever come up with.
    Last edited by Jacques1; March 18th, 2013 at 03:15 PM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,660
    Rep Power
    171
    @Jacques1;

    Your reply was clear and solved my confusion. I got a $5 SSL from godaddy and I am having a play. Would it be safe to send raw data with GET WITH SSL?


    @requinix
    I don't think I ever had a question that you didn't know the answer to it! But sometimes because of the difference of levels of understandings of php, it takes me a few replies to undertstand your point, like above. The 5 minutes time thing is pretty smart.

    Thank you
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by zxcvbnm
    Your reply was clear and solved my confusion. I got a $5 SSL from godaddy and I am having a play.
    Great.



    Originally Posted by zxcvbnm
    Would it be safe to send raw data with GET WITH SSL?
    The URL will be encrypted, but URL parameters generally aren't meant for sending critical data. There's a high risk of leaking them through the serverlog, the referrer header when clicking on an external link (if the linked site uses HTTPS), the browser history, careless sharing of the link etc.

    Use POST instead.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo