ansaurus

Question

Answer 1

+3 A:

I am planning to add a hash to the Url, so that outsiders don't have access to the file. But I don't know how to do this...

don't do it this way. A hash is fine for one-time links like E-Mail confirmation, but not for sensitive info. The hash will be present in the user's history, cache and in Proxy protocols; it can be shared accidentally.

You need to look into building proper, login-based authentication.

Some starting points:

Pekka 2010-10-26 12:21:20

Hello Pekka. I know this isn't the best method, but I need to know how it works. Could you please explain how the Hash method works?

Camran 2010-10-26 12:28:19

@Camran simple: 1. [Generate a random hash](http://stackoverflow.com/questions/2293684/best-way-to-create-a-random-hash) 2. Store it in the classifieds record 3. When a user opens the page, fetch the record that matches the given hash.

Pekka 2010-10-26 12:30:02

@Pekka, storing a hash into the database would mean I would have to add another column which I cant currently. Too much work. I think my partner meant something else...

Camran 2010-10-26 12:31:29

@Camran you can generate a md5 value out of the classified's ID but that is not really secure... A md5 value combining the classified's ID and another more "random" value like the client's name would be better, but then the client's name must not change. You could then `SELECT * FROM tablename WHERE MD5(CONCAT(id,clientname)) = "12345"` But using a truly random hash would be the best way to go.

Pekka 2010-10-26 12:32:31

@Pekka: Btw, forgot to ask, so basically the reason why this hash method is unsafe is because it is delivered fully open in the URL, am I correct? Like domain.com/partner.php?key=555555. Then in the php file I check if the $_GET['key']==555555 ? I am confused now.

Camran 2010-10-26 12:53:01

@Camran exactly.

Pekka 2010-10-26 14:26:31

Answer 2

A:

You could use HTTP Authentication, for example via .htaccess

Adding a hash to the URL means that you pass a GET-Parameter to the script and check it when the script starts. If the value is not the expected one, the script can simply die(); or throw some kind of error.

But I'd really NOT recommend the hash-thing, it's a bad idea.

Techpriester 2010-10-26 12:22:16

Camran 2010-10-26 12:29:59

Answer 3

+2 A:

Or you can use both the Hash key and IP verification. If your partner is using just one computer/server to access your file you can check the hash key and the users IP address.

$ip = $_SERVER['REMOTE_ADDR'];

infinity 2010-10-26 12:24:38

Yes, but how is the hash key verification done? This is what I need to know... could you explain this please?

Camran 2010-10-26 12:27:06

For example: http://yoursite.ltd/file.php?pass=[Your Hash/Password here]and in the script you can check if it match, if not just die/exit.It is like a pre-shared key that is known only by you and your partner.

infinity 2010-10-26 12:33:17

Answer 4

+1 A:

Is it possible to use a different approach?

Maybe you can use a .htaccess to only allow access to the file from certain IP addresses.

Check out this page on .htaccess. There is a section called Restricting by IP Address

thearchitect 2010-10-26 12:25:13

ansaurus

tags:

views:

answers:

Secure a PHP file; how?

related questions