When you're dealing with a specific workflow or user action, accuracy is essential!
Now, before I go any further, I would like to point out that far more than just this is needed to be 100% secure, but this certainly adds a relatively quick solution for the average process.
Make a new file called:
config.inc.php
In this file, place the following:
<?php
/**
* Your password (you don't need to remember it, as it's saved here!);
*/
$my_top_secret_code="DUGhXbtnOtyzltyC60g6hEUP7dzm8XQgElK6Jip4KfeRMPQ23vi3QQJJAeyjnq5";
?>
Feel free to change the password, but you really don't need to know this one off the top of your head. In fact, I would argue that if you can remember any password (other than your KeePass password) then they are way too easy!
Next, we will create the following in a new file (try index.php if you're working in a new directory)
<?php
include"config.inc.php";
$basket_total="3.73";
$basket_number_of_items="4";
$hash=$basket_total.$basket_number_of_items.$my_top_secret_code;
$final_hash=sha1($hash);
?>
<form action="check.php" method="POST">
Total Basket Price: <input type="text" name="price" value="<?php echo $basket_total; ?>" /><br />
Number of items: <input type="text" name="number" value="<?php echo $basket_number_of_items; ?>" /><br />
<input type="text" name="hash" value="<?php echo $final_hash; ?>" /><br />
<input type="submit" value="Checkout" />
</form>
What we've done here is combined a couple of variable values (that will be used on subsequent pages) with our 'top secret password' which is held in a static file.
Then, we've sha1 hashed it.
SHA-1 = a 160-bit hash function which resembles the earlier MD5 algorithm. This was designed by the National Security Agency (NSA) to be part of the Digital Signature Algorithm. (source: http://en.wikipedia.org/wiki/Secure_Hash_Algorithm)
This hashed value (along with the 2 variables) are sent via a form to the next page.
Finally, create a file called check.php
In this file, place the following:
<?php
include"config.inc.php";
$basket_total=$_POST['price'];
$basket_number_of_items=$_POST['number'];
$posted_hash=$_POST['hash'];
$new_hash=$basket_total.$basket_number_of_items.$my_top_secret_code;
$final_hash=sha1($new_hash);
if ($final_hash!=$posted_hash) {
/**
* !!!!! HASH CHECK FAILED !!!!!
*/
echo "Failed!";
die();
}
else {
/**
* A MORE GENUINE CUSTOMER :-)
*/
echo "Welcome!!";
}
?>
Here we just build a new hash based on the variable values, and compare the output to the hash sent from the first page.
Dependant on it's usage, this is suffice to stop quite a few 'form spammers' from getting through a series of formed pages.
I feel like I'll go crazy if I say this again to anyone, but VALIDATE ANY USER SUPPLIED DATA! I can't even stress that enough. You need to love your data validations. When you don't do them is when disaster strikes!
Get in the habit, before it's too late!