tags:

views:

37

answers:

2
+1  Q: 

Secure a script from outside access?

Ok, here is the problem.

I have a facebook application where users can earn points for completing surveys. When the user has completed the survey, at the end of the survey a tracking pixel is fired to credit the users account. The pixel loads a script like the one below:

http://www.mysite.com/fb/add-credit.php?userid=<fbid>

I want to secure this from outside access. I have thought about using referrers, but someone could easily sniff the traffic, and fake the referrer.

I also thought about this. When the user clicks the link to complete the survey I will create an entry in the database with a MD5 timestamp as the token. If the user was to then try and credit their own account by going direct to the add-credit script they would need to know the exact timestamp.

Would there be any issues with the second solution?

+2  A:  
id, clientId, surveyId, MD5Hash

When a client starts a survey, make an MD5Hash like so: take the IP Address & survey id concate and MD5 it, add all this information to the table. When the client get's to the end of your survey, the image is called with only the survey ID, the image is a script that takes the survey ID as an arg in some fashion, and MD5s the IP address and survey id that are concated. It then checks to see if it can find an MD5Hash that matches this, if it does, give the client credit and clear the MD5Hash field to make sure the client does not get a double credit.

Mark Tomlin  2010-02-27 10:19:33
Just what I was thinking :) Thanks.
James Jeffery  2010-02-27 10:26:39
I cleaned it up to only use one table, it might help you out just a little bit more. It's 5:30, and I do my best thinking @ 4am normally, but today has been a long day, so I'm sorry if my first answer was convoluted.
Mark Tomlin  2010-02-27 10:33:41
You may want to follow DCC's suggestion and also salt the MD5 hash also, as it would make hacking this pretty tough from a client only stand point.
Mark Tomlin  2010-02-27 10:36:56
@James, could you please accept the answer?
Mark Tomlin  2010-07-20 04:11:18
+2  A: 

Depends on how you create that time stamp in the database, thrum ajax or php ?

Also when creating the time stamp use a combination of time+facebookid+ip, with the md5 salted :)

DCC  2010-02-27 10:21:08
I won't be using Ajax ... unless there is a beneficial reason for it.
James Jeffery  2010-02-27 10:24:56
You have a point on salting the MD5.
Mark Tomlin  2010-02-27 10:35:30

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases