Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Response when requested by the Original code - PHP

Tags:

security

php

As proposed by Stopping Bot [SO] - PHP i've developed a anti-bot system in PHP which code can be viewed at https://codereview.stackexchange.com/questions/2362/anti-bot-comment-system-php

But anyone can obtain a token by viewing getToken.php
In SO they get the token from stackauth.com [i think so by viewing page code], but when i browsed it it just showed some text !
How can i do something like that ? [token to be passed only when requested by the code, not by the browser]

The process of generating and verifying token
in the form page

$hash=sha1($time.$myKey);
echo $time.'#'.$hash;

In the poster/verification page

$token=explode($_POST['token'],'#',2);
if (sha1($token[0].$myKey)==$token[1])
 echo 'A good Human';  

Edit
I do not store used token in the database, and a token get expired after [say] 5 minutes !
Think a bad user gets the token 2011-05-18 11:10:12#AhAShKey000000000 he can use the token to submit random text to 2011-05-18 11:15:12, how can i fix this issue ?

like image 696
Sourav Avatar asked May 12 '11 03:05

Sourav


2 Answers

Not totally sure this is the answer you're after, but...

Load the token statically in the page, instead of with Ajax. Then you know that the form page was loaded for sure.

like image 112
Jonah Avatar answered Sep 30 '22 13:09

Jonah


You can use ftok(__FILE__,'T'); - and token will be unique on each system.
Instead of T you can use any letter, read Manual.

As example, in your getToken.php you can replace:
$hash=sha1($key.'mySecretKey');
with
$hash=sha1($key.ftok(__FILE__,'T'));

This function exists only in linux/unix-based systems.

like image 24
OZ_ Avatar answered Sep 30 '22 13:09

OZ_