Good afternoon,
Quick question, this may not make any sense but it is a thought, I was thinking, like I usually like to do, when you pass variables over a browser would it be crazy to md5 hash and salt the variables id and keep them in a db table and md5 hash the equal sign too. what I mean is instead of you could get something like this before this is implemented though you could make the "=" sign equal to a alphanumeric like k3 or something and md5 pass and user with a salt and add an array to the subsequent hash like putting a set of letters or numbers in the string at certain positions. therefore you would have the original hash of dgdf5fd54f6dg654dfg1f1d8fd1fd1g68df11fd1fd1618e161g61fd61d651d6f16df1f but lets say at a certain amount of digits you put your broken up array like at the third digit you put a 2 or an f and at the fifth you put a 6 depending on how many equal signs you have you could subtract the equal signs from 32 and add that many digits to the incoming variable so if anyone tries to break your variable dividing it by 32 digits they would not be able to come up with a formula. so for every id and value you would have 32 digits plus the (equal variable - 32=variable)variable. which would make an ugly get or post. on the input side you would have the encryption and on the logic side the decryption.

• the user goes to your website
• enters the authentication method ie username and password
• the php takes the username and password takes the URL that is going to be sent and finds the ids and the values.
• md5's the ids, the username and the passwords with the salt
• puts in the php defined salt array minus the equal signs which is an alpha numerical two digit
• this gets sent over to the authenticate php
• the php desalts the post or get
• passes the variables to the database
• decides if OK or otherwise

I don't know does this make any sense I'm just thinking about it. You can thank live http headers for this thought.

Instead of using $_GET variables use $_POST. Any such transaction should be over a secure SSL connection. I don't see any reason to be passing username and password at all other than a login page. Once logged in, you should be using $user_id which would be registered in $_SESSION or $_COOKIE.


Matti Ressler
Suomedia

thanks for the reply. I should have asked is their a way to still keep your variables secure without a ssl? or openssl? more of a way to encrypt passing variables with a homemade formula kind of like a md5 of time (to the 10 minute mark) that is salted in the encrypted variable?with the page of decryption above the web root? of course with the equal sign keyed to a an array that was based on the time of the query.

No, its not possible without SSL, since the communication between the user's browser and the web server can be intercepted. SSL is very cheap these days, with most hosts providing a free shared cert. if your budget is really tight.


Matti Ressler
Suomedia