If you are sure that GET/POST/COOKIE values are not modified by user, you may be able to reduce lots of overhead for checking values. This function provide means to make sure GET/POST/COOKIE values that are set by PHP programmer are not modified by users.
Download
View Source (print view)
Rating : 4.7
Views : 671
<?php
/*
File: /security/check_input.php
Author: yohgaki@ohgaki.net
Version: 0.3
These functions are used to protect programmer
defined vars.
Values are secure for the same reason as CHAP,
HTTP Digest Auth is secure.
This version allows not only checks consistency,
but also can specify
*/
/** hash value name */
define('HASH_NAME','m');
/** Magic string. _KEEP THIS SECRET_ */
define('MAGIC','Some text cannot be guessed');
/** Magic life any */
define('MAGIC_LIFE_ANY', 0);
/** Magic life script */
define('MAGIC_LIFE_SCRIPT', 1);
/** Magic life user */
define('MAGIC_LIFE_USER', 2);
/** Magic life session */
define('MAGIC_LIFE_SESSION',4);
// {{{ init_hash()
/**
* Init hash - add digest key=>value pair to hash
*
* @param array $values array(key=>vlaue)
* @param array $values_protected array(vlaue)
* @param int $magic_life See magic().
* @return array
*/
function init_hash($values, $values_protected = null, $magic_life = MAGIC_LIFE_ANY)
{
assert(is_array($values));
if ($values_protected)
$vals = $values_protected;
else
$vals = array_keys($values);
$str = '';
foreach($vals as $k)
{
if ($k === HASH_NAME)
continue; // skip if there is hash
$str .= $k.$values[$k];
}
//echo $str;
$values[HASH_NAME] =md5($str.(magic($magic_life)));
return $values;
}
// }}}
// {{{ check_hash()
/**
* Check hash value with digest value
*
* @param array $values array(key=>vlaue)
* @param array $values_protected array(vlaue)
* @param int $magic_life See magic().
* @return bool TRUE for ok, FALSE for NG
*/
function check_hash($values, $values_protected = null, $magic_life = MAGIC_LIFE_ANY)
{
assert(is_array($values));
if (!isset($values[HASH_NAME])) {
return false;
}
if ($values_protected)
$vals = $values_protected;
else
$vals = array_keys($values);
$str = '';
foreach($vals as $k)
{
if ($k === HASH_NAME)
continue; // skip if there is hash
$str .= $k.$values[$k];
}
$hash = md5($str.(magic($magic_life)));
//echo $str;
if ($values[HASH_NAME] !== $hash) {
return false;
}
return true;
}
// }}}
// {{{ magic()
/**
* Get magic string appropriate for current status
* This function is made to check user input magic.
*
* @param integer $life magic's life time (See constant MAGIC_*)
* @return string Magic string
*/
function magic($life = MAGIC_LIFE_ANY)
{
assert(is_integer($life));
$magic = MAGIC; // static magic string
if ($life & MAGIC_LIFE_SESSION)
$magic .= session_id();
if (($life & MAGIC_LIFE_USER) && is_object($_SESSION['auth']))
$magic .= $_SESSION['auth']->st_uid; // This code assumes there is a auth object
if ($life & MAGIC_LIFE_SCRIPT)
$magic .= $_SERVER['PHP_SELF'];
return $magic;
}
// }}}
?>
download, regirstration form, php_snips, fedex, call php', userstatusinonline, php_script"_class="neww"_target="_blank"_title="im_neuen, best ide, php script" class="neww" target="_b..., forum, p t test paired, guest, php_tools, href php function, utfraw, php jobs, php script and char(124) (select cast(count(1) as varchar(8000)) char(124) from [sysobjects] where 1=1)>0 and =, commit, gonzo_florin, yahoo status check, rss