Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Phoenix formsecurity"
| Line 3: | Line 3: | ||
==Intro== | ==Intro== | ||
| − | The FormSecurity class was created to be a generic way to | + | The FormSecurity class was created to be a generic way to add a random mathematical |
| − | question to any page with a form, | + | question to any page with a form, to try and prevent bots and scripts from |
automatically filling out the forms and flooding work channels,email and db systems. | automatically filling out the forms and flooding work channels,email and db systems. | ||
It does this by generating a question and computing the answer and storing the answer | It does this by generating a question and computing the answer and storing the answer | ||
| − | in a crypt hash, for later | + | in a crypt hash, for later comparison. On form submission it can compare the users |
answer with the stored result and if they match you can be reasonably sure that the form | answer with the stored result and if they match you can be reasonably sure that the form | ||
was filled out by a person, or at least by a script that was written by someone that knew | was filled out by a person, or at least by a script that was written by someone that knew | ||
| Line 16: | Line 16: | ||
The class contains the following functions: | The class contains the following functions: | ||
| − | # getStoredCrypt : This function returns the value stored in the protected | + | # getStoredCrypt : This function returns the value stored in the protected data space of the class. By default it should contain the encrypted result of the question computation. |
# setStoredCrypt : Sets the value for getStoredCrypt to return. Used internally within the class, but available outside. | # setStoredCrypt : Sets the value for getStoredCrypt to return. Used internally within the class, but available outside. | ||
# HardSecureQuestion : Generates a 'hard' random question consisting of 3 values and 2 mathematical operations(+/-) decided randomly. Requires that you pass it a password(text string) to encrypt the result with. You can also specify the uppper limit on the values that will be used to generate the question, the limit defaults to 100 if not given. The return is a text string of the question itself, so that it can be displayed | # HardSecureQuestion : Generates a 'hard' random question consisting of 3 values and 2 mathematical operations(+/-) decided randomly. Requires that you pass it a password(text string) to encrypt the result with. You can also specify the uppper limit on the values that will be used to generate the question, the limit defaults to 100 if not given. The return is a text string of the question itself, so that it can be displayed | ||
| Line 22: | Line 22: | ||
# Crypt : Generates a binary safe encrypted value. Requires the password and the data to encrypt. Returns a binary safe version via base64_encode. | # Crypt : Generates a binary safe encrypted value. Requires the password and the data to encrypt. Returns a binary safe version via base64_encode. | ||
# DeCrypt : Generates the orginal crypt() result from a binary safe version. Essentially it backs out the packing done by the Crypt function. Used primarily within the class, but available outside. | # DeCrypt : Generates the orginal crypt() result from a binary safe version. Essentially it backs out the packing done by the Crypt function. Used primarily within the class, but available outside. | ||
| − | # Verify : Given a user value, a password and a binary safe Crypt() result, will check if the supplied inputs match. It works by calling DeCrypt on the Crypt() result and then comparing that to the results of the system crypt() function as applied to the password and user value. The password here *must* match the password given to either HardSecureQuestion | + | # Verify : Given a user value, a password and a binary safe Crypt() result, will check if the supplied inputs match. It works by calling DeCrypt on the Crypt() result and then comparing that to the results of the system crypt() function as applied to the password and user value. The password here *must* match the password given to either HardSecureQuestion or EasySecureQuestion, or else the values will never match. |
==Sample Code== | ==Sample Code== | ||
Revision as of 11:25, 4 June 2008
Form Security Class
Intro
The FormSecurity class was created to be a generic way to add a random mathematical question to any page with a form, to try and prevent bots and scripts from automatically filling out the forms and flooding work channels,email and db systems. It does this by generating a question and computing the answer and storing the answer in a crypt hash, for later comparison. On form submission it can compare the users answer with the stored result and if they match you can be reasonably sure that the form was filled out by a person, or at least by a script that was written by someone that knew what they were doing.
Class description
The class contains the following functions:
- getStoredCrypt : This function returns the value stored in the protected data space of the class. By default it should contain the encrypted result of the question computation.
- setStoredCrypt : Sets the value for getStoredCrypt to return. Used internally within the class, but available outside.
- HardSecureQuestion : Generates a 'hard' random question consisting of 3 values and 2 mathematical operations(+/-) decided randomly. Requires that you pass it a password(text string) to encrypt the result with. You can also specify the uppper limit on the values that will be used to generate the question, the limit defaults to 100 if not given. The return is a text string of the question itself, so that it can be displayed
- EasySecureQuestion : Generates an 'easy' random question consisting of 2 values and 1 mathematical operation(+/-) decided randomly. Requires that you pass it a password(text string) to encrypt the result with. You can also specify the uppper limit on the values that will be used to generate the question, the limit defaults to 10 if not given. The return is a text string of the question itself, so that it can be displayed
- Crypt : Generates a binary safe encrypted value. Requires the password and the data to encrypt. Returns a binary safe version via base64_encode.
- DeCrypt : Generates the orginal crypt() result from a binary safe version. Essentially it backs out the packing done by the Crypt function. Used primarily within the class, but available outside.
- Verify : Given a user value, a password and a binary safe Crypt() result, will check if the supplied inputs match. It works by calling DeCrypt on the Crypt() result and then comparing that to the results of the system crypt() function as applied to the password and user value. The password here *must* match the password given to either HardSecureQuestion or EasySecureQuestion, or else the values will never match.
Sample Code
<? $security = new FormSecurity(); if FORM_POSTED { if ( $security->Verify( $_POST['useranswer'], "text", $_POST['securityanswer']) == 1 ){ print "Go Dude!"; else print "bummer"; } <form> Please answer: <? print ($security->EasySecurityQuestion( "text",20 ) ); ?> <input type=text name=useranswer > <input type=hidden name=securityanswer value="<? $security->getStoredCrypt(); ?> <input type="submit" value="post"> </form> ?>