Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Kalyan Varma (kalyan_at_yahoo-inc.com)
Date: Thu Jul 11 2002 - 12:42:08 CDT
Ok I wont talk about the GET vs POST part here. That has already been
here's how you can send parameters without it getting messed with people
in the middle.
1. Encryption : We could always use encryption. Encrypt on one end and
decrypt on the other end. But too many issues with that, and it could have performance
2. Hashing : Here how you can use the good old md5 for the job.
lets take you are sending key1=value1&key2=value2
now just sign this using md5 ( its MD5(DATA+SECRET)). So basically do
something like this sk=md5(value1+value2+secret)
now send sk along with rest of the data ->
On the other end, take the values, add the secret, md5 it and then
compare. That way no one can tamper with the parameters.
I hope I've answer your question. :)
On Wed, 10 Jul 2002, Kevin Spett wrote:
> I'm unclear as to how hashing helps. If you're talking about taking the
> user input and hashing it and sending it just like that, it makes no sense
> because no one can read the hashed data unless they know what the data was
> in the first place. If you're talking about adding an unencrypted hash of
> the data (you say "encrypting or hashing") to the request to sign it in
> order to verify authenticity, it's inneffective because anyone can hash
> whatever information they want. In either case, signing the data does not
> protect against it being viewed, it merely ensures the identity of the
> sender. Finally, applications should assume that crackers /have/ messed
> with parameter values and use thorough data sanitization and even then
> client-supplied values need to be treated with caution.
> Kevin Spett
> SPI Dynamics, Inc.
> > You could basically pass parameters by encrypting or hashing the
> > paramaters and then either sending them via the URL, or in form of
> > This way the cracker cant mess with the variables.
> > Hidden form variables etc only stop script kiddies :)
> > - kalyan