I'm unclear as to how hashing helps. If you're talking about taking the
user input and hashing it and sending it just like that, it makes no sense
because no one can read the hashed data unless they know what the data was
in the first place. If you're talking about adding an unencrypted hash of
the data (you say "encrypting or hashing") to the request to sign it in
order to verify authenticity, it's inneffective because anyone can hash
whatever information they want. In either case, signing the data does not
protect against it being viewed, it merely ensures the identity of the
sender. Finally, applications should assume that crackers /have/ messed
with parameter values and use thorough data sanitization and even then
client-supplied values need to be treated with caution.

Kevin Spett
SPI Dynamics, Inc.
http://www.spidynamics.com/

> You could basically pass parameters by encrypting or hashing the
> paramaters and then either sending them via the URL, or in form of
cookies.
> This way the cracker cant mess with the variables.
>
> Hidden form variables etc only stop script kiddies :)
>
> - kalyan

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]