tags:

views:

55

answers:

1
+1  Q: 

How to make a "Spinner" to improve php form security?

This article about php form security:

http://nedbatchelder.com/text/stopbots.html

... mentions a "spinner" as:

The spinner is a hidden field used for a few things: it hashes together a number of values that prevent tampering and replays, and is used to obscure field names. The spinner is an MD5 hash of:

* The timestamp,
* The client's IP address,
* The entry id of the blog entry being commented on, and
* A secret.

The field names on the form are all randomized. They are hashes of the real field name, the spinner, and a secret. The spinner gets a fixed field name, but all other fields on the form, including the submission buttons, use hashed field names.

Does anyone have a code sample of how to implement this on a php page containing a form and the associated php form submission script?

I don't want to use AJAX, just PHP.

A: 

You could implement the following:

  On Page Submit:
  <?php
    $spinnerKey = 'spin';
    $spinner = $_POST[$spinnerKey];
    $values = array();

    foreach ($_POST as $key=>$value)
    {
      if ($key !== $spinnerKey)
      {
        $values[deHash($key, $spinner)] = $value;
      }
    }
?>

A 'deHash' example:
<?php

    # You have to define deHash based on your hash but it 
    # would look something like this:
    var $_rainbowTable = array();
    var $_expectedKeys = array();

    function deHash($hashedkey, $spinner)
    {
        $rt = $this->getRainbowTable($spinner);

        return isset($rt[$hashedKey])
          ? $rt[$hashedKey])
          : NULL;
    }

    function getRainbowTable($spinner)
    { 
        if (count($this->_rainbowTable) > 0)
            return $this->_rainbowTable;

        foreach ($this->_expectedKeys as $key)
        {
            $this->_rainbowTable[hash($key, $spinner)] == $key;
        }

        return $this->_rainbowTable;
    }
  ?>

Ultimately though I don't see how this stops bots submitting your page - it just stops people's "email/user/pass" remember browser plugin from working.

Graphain  2010-07-13 04:49:13
You're missing the point of "hash function" if you refer to reversing one. I think you mean encryption / decryption.
Slartibartfast  2010-07-13 05:00:28
I'm using reversible in the same sense you are when you say the key can be worked out from the hash function. deHash would use a rainbow table generated from the hash of your spinner and the expected field names and then use your hashedkey as a lookup in that table to return the actual key, or a null otherwise.
Graphain  2010-07-13 05:16:53
See my updated example. I corrected the terminology because I got the impression you meant encyrption/decryption since you talked about reversing.
Graphain  2010-07-13 05:21:43

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases