|
|
Posted by Dikkie Dik on 10/06/90 12:00
> How does your suggestion on hashing ids work?
I keep a list of known hashes in the session, say $_SESSION['known_hashes'].
If I have an ID that the user has to choose from, I pass the hash of
that ID and store it along with the ID in that list. So if a user can
choose from a set of bank accounts to work on, the HTML shows something
like:
<select ...>
<option value="sKbSKHgrsjbrvsrb2497wkj">First account</option>
...
</select>
When I process the result, I look up the hash in
$_SESSION['known_hashes'] to find what ID belongs to it.
This has e a few advantages:
- No unnecessary database info is ever sent to the client,
- Only hashes are known that belong to that user, so even a brute force
guesswork will only yield the possibilities that the user would have anyway.
My hashing system hashes per table, so you cannot abuse a userID as an
accountID, for example.
> Like this: profilepage.php?uid=7sy6fsnyfm984oym3oyowiuyrowr432
> and server side: SELECT * FROM users WHERE md5(users.user_id) =
> $uid;
>
> Or more like this: SELECT * FROM users WHERE users.uidhash = $uid;
No. More like:
if(isset($_SESSION['known_hashes'][$accountParameter])):
$query = 'SELECT * FROM users WHERE user_id=' .
FromHash($accountParameter);
endif;
Regards
Navigation:
[Reply to this message]
|