Jump to: navigation, search

Phoenix formsecurity

Revision as of 12:20, 27 June 2008 by Nathan.gervais.eclipse.org (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Form Security Class

Intro

The FormSecurity class was created to be a generic way to add a random mathematical question to any page with a form, to try and prevent bots and scripts from automatically filling out the forms and flooding work channels,email and db systems. It does this by generating a question and computing the answer and storing the answer in a crypt hash, for later comparison. On form submission it can compare the users answer with the stored result and if they match you can be reasonably sure that the form was filled out by a person, or at least by a script that was written by someone that knew what they were doing.

Class description

The class contains the following functions:

  1. getStoredCrypt : This function returns the value stored in the protected data space of the class. By default it should contain the encrypted result of the question computation.
  2. setStoredCrypt : Sets the value for getStoredCrypt to return. Used internally within the class, but available outside.
  3. HardSecureQuestion : Generates a 'hard' random question consisting of 3 values and 2 mathematical operations(+/-) decided randomly. Requires that you pass it a password(text string) to encrypt the result with. You can also specify the uppper limit on the values that will be used to generate the question, the limit defaults to 100 if not given. The return is a text string of the question itself, so that it can be displayed
  4. EasySecureQuestion : Generates an 'easy' random question consisting of 2 values and 1 mathematical operation(+/-) decided randomly. Requires that you pass it a password(text string) to encrypt the result with. You can also specify the uppper limit on the values that will be used to generate the question, the limit defaults to 10 if not given. The return is a text string of the question itself, so that it can be displayed
  5. Crypt : Generates a binary safe encrypted value. Requires the password and the data to encrypt. Returns a binary safe version via base64_encode.
  6. DeCrypt : Generates the orginal crypt() result from a binary safe version. Essentially it backs out the packing done by the Crypt function. Used primarily within the class, but available outside.
  7. Verify : Given a user value, a password and a binary safe Crypt() result, will check if the supplied inputs match. It works by calling DeCrypt on the Crypt() result and then comparing that to the results of the system crypt() function as applied to the password and user value. The password here *must* match the password given to either HardSecureQuestion or EasySecureQuestion, or else the values will never match.

Sample Code

<?
$security = new FormSecurity();
 
if FORM_POSTED  {
  if ( $security->Verify( $_POST['useranswer'], "text", $_POST['securityanswer'])
== 1 ){
   print "Go Dude!";
  else
   print "bummer";
}
 
<form>
Please answer: <? print ($security->EasySecureQuestion( "text",20 ) ); ?>
<input type=text name=useranswer >
<input type=hidden name=securityanswer value="<?=$security->getStoredCrypt();
?>
<input type="submit" value="post">
</form>
 
?>