All geek questions in one place

How to obscure a GET variable?

I play with the idea of ​​creating automatic electronic certificates. It is very easy to create your own certificates using the fpdf class of PHP. The way I'm configured is that given the URL

http://www.example.com/makepdf.php?name=myname&class=classname

you get a PDF certificate with the student’s name and the class they took from the $ _GET variable. Of course, this means that anyone can manipulate the URL to create their own certificate very easily. (They can do it in Photoshop anyway, but the idea is to make certificate manipulation not entirely trivial.) Once the class is finished, I want to email the merge to everyone with a unique URL for their certificate.

How do you approach this problem? Should I just create a set of random numbers and link them to the student / workshop party in the database? Are there standard solutions to this problem?

+3
source share
5 answers

A couple of solutions stand out:

  • Store names and classes in the database and refer to them with a numerical identifier instead of passing data in the query
  • Keep the information in the request, but add a secure hash that will prevent unauthorized use of data.

The hash mechanism would be something like this:

$name $class. GET, $name, $class , . - :

$salt = "this is my secret";
$hash = md5($name . $class . $salt);
$url = "http://www.mysite.com/certificate.php?name=" . urlencode($name) . "&class=" . urlencode($class) . "&hash=" . $hash;

, , :

$salt = "this is my secret";
$expected = md5($_GET['name'] . $_GET['class'] . $salt);
if ($expected != $_GET['hash']) {
  die("You are not authorized");
} else {
  // User is OK; generate the certificate
}
+6

, , , , , .

, , script, , , PHP .

0

/ (- ) . , , .

, - MD5 , URL. , , URL-.

http://www.example.com/makepdf.php?name=Tim&class=PHP&hash=c2c455ce438112b44499561131321126

script :

$hash = md5($_GET['name'] . $_GET['class'] . $salt);
if($hash != $_GET['hash']){
  //invalid request
}

, URL .

0

, URL- , :

hash_string = "myname:classname";

, :

query_string .= "&h=" . md5("my_secret_key:" . hash_string)

, , , :

hash_string = params['name'] . ':' . params['class'];
if (params['h'] == md5("my_secret_key:" . hash_string)) ...

PHP-, .

0

Should I just create a set of random numbers and link them to student / workshop pairs in the database?

Yes.

-1
source

Source: https://habr.com/ru/post/1764073/

More articles:


All Articles