#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    47
    Rep Power
    3

    Secret Keys & XML Strings


    I am creating a username and password form. The password is md5 hashed. I am being told I also need to add a "Secret Key" What is this? What Do I need to do?

    Also, Depending on the users input I need to have the web service respond with...

    Validated = 1 or Validated = 0

    and it needs to return in an XML string.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    you do not need a "secret key". You need a strong hashing algorithm (which MD5 is not) and a unique, random salt for every password. The salt doesn't have to be secret. Its sole purpose is to prevent brute force attacks on all passwords at once, because each password must be attacked separately using its individual salt.

    The best solution is probably the PHPass library, because it's established and well-tested -- much better than trying to implement your own algorithm, because there are many things you can do wrong. Cryptography isn't trivial.
  4. #3
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7171
    A "secret key" isn't a specific technical thing, it's just a value that other people are not supposed to know. How you use it depends on the specifications for your application.

    Also an "XML string" isn't a specific technical descriptor beyond describing a string that contains XML. It doesn't tell you anything about what the XML is supposed to look like.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    47
    Rep Power
    3
    The company this is for requires I use md5. Where would I put this "Secret Key"?

    How do I create the XML output?

    This is the page code

    PHP Code:
    <?php require_once('Connections/passwords.php'); ?>
    <?php
    if (!function_exists("GetSQLValueString")) {
    function 
    GetSQLValueString($theValue$theType$theDefinedValue ""$theNotDefinedValue ""
    {
      if (
    PHP_VERSION 6) {
        
    $theValue get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
      }

      
    $theValue function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

      switch (
    $theType) {
        case 
    "text":
          
    $theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
          break;    
        case 
    "long":
        case 
    "int":
          
    $theValue = ($theValue != "") ? intval($theValue) : "NULL";
          break;
        case 
    "double":
          
    $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
          break;
        case 
    "date":
          
    $theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
          break;
        case 
    "defined":
          
    $theValue = ($theValue != "") ? $theDefinedValue $theNotDefinedValue;
          break;
      }
      return 
    $theValue;
    }
    }
    ?>
    <?php
    // *** Validate request to login to this site.
    if (!isset($_SESSION)) {
      
    session_start();
    }

    $loginFormAction $_SERVER['PHP_SELF'];
    if (isset(
    $_GET['accesscheck'])) {
      
    $_SESSION['PrevUrl'] = $_GET['accesscheck'];
    }

    if (isset(
    $_POST['username'])) {
      
    $loginUsername=$_POST['username'];
      
    $passwordmd5 ($_POST['password']);
      
    $MM_fldUserAuthorization "";
      
    $MM_redirectLoginSuccess "verify_success.php";
      
    $MM_redirectLoginFailed "verify_failed.php";
      
    $MM_redirecttoReferrer false;
      
    mysql_select_db($databasecredentials$WWM_iPad);
      
      
    $LoginRS__query=sprintf("SELECT username, password FROM ipad_up WHERE username=%s AND password=%s",
        
    GetSQLValueString($loginUsername"text"), GetSQLValueString($password"text")); 
       
      
    $LoginRS mysql_query($LoginRS__query$WWM_iPad) or die(mysql_error());
      
    $loginFoundUser mysql_num_rows($LoginRS);
      if (
    $loginFoundUser) {
         
    $loginStrGroup "";
        
        
    //declare two session variables and assign them
        
    $_SESSION['MM_Username'] = $loginUsername;
        
    $_SESSION['MM_UserGroup'] = $loginStrGroup;          

        if (isset(
    $_SESSION['PrevUrl']) && false) {
          
    $MM_redirectLoginSuccess $_SESSION['PrevUrl'];    
        }
        
    header("Location: " $MM_redirectLoginSuccess );
      }
      else {
        
    header("Location: "$MM_redirectLoginFailed );
      }
    }
    ?>
    <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
      <tr>
        <td width="410">
        
        <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
          <form action="<?php echo $loginFormAction?>" method="post" name="login" id="login">
            <tr>
              <td bgcolor="#FFFFFF"><strong>Member Login:</strong></td>
              <td bgcolor="#FFFFFF">&nbsp;</td>
            </tr>
            <tr>
              <td bgcolor="#FFFFFF">Username:</td>
              <td bgcolor="#FFFFFF"><input name="username" type="text" id="username" size="15" maxlength="6" /></td>
            </tr>
            <tr>
              <td width="123" bgcolor="#FFFFFF">Password:</td>
              <td width="157" bgcolor="#FFFFFF"><input name="password" type="password" id="password" size="15" /></td>
            </tr>
            <tr>
              <td height="42" bgcolor="#FFFFFF">&nbsp;</td>
              <td bgcolor="#FFFFFF"><input type="submit" name="submit" id="submit" value="Submit" /></td>
            </tr>
          </form>
        </table></td>
      </tr>
    </table>
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2012
    Posts
    47
    Rep Power
    3
    According to this document this is what I need to do...


    Web service should be publically accessible via a HTTP request call. The HTTP request should accept either a POST or a GET method, which contains a secret key of access.

    Provide the web service details for validate user credentials.

    Web Service URL: mysite.com
    Method Name: Post
    Secret Key: ?????

    The web service should accept a JSON object, XML string or a GET method values:

    Field Type
    Username Clear Text
    Password MD5 Encrypted

    The web service should return the following in a JSON object or XML string:

    Validated = 1 –// IF 1 then TapEdition will allow the user to login and access all the issues without purchasing.

    Validated = 0 - // IF 0 then TapEdition will present a message to the user: “Incorrect username/password”

IMN logo majestic logo threadwatch logo seochat tools logo