Jump to content

Zulumander

Members
  • Posts

    6
  • Joined

  • Last visited

Zulumander's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. <?php if(isset($_GET['Type'])) { $valid = true; //First, delcarations $fName = filter_input(INPUT_GET, "fName"); $lName = filter_input(INPUT_GET, "lName"); $city = filter_input(INPUT_GET, "city"); $state = filter_input(INPUT_GET, "state"); $zipCode = filter_input(INPUT_GET, "zipCode"); //Array with GET "Names" $GetArray = array('fName', 'lName', 'city', 'state', 'zipCode'); $begin = 0; //ErrMsg Base $errMsgs = "Sorry, something's wrong with your Data Input! <ul>"; //Start the Check for Empty Data input while($begin < count($GetArray)) { if(!$_GET[$GetArray[$begin]]) { //Field was Empty, return false... $valid = false; //And extend the Error Message. $errMsgs .= "<br><li>You did not provide ".$GetArray[$begin]."</li> "; } $begin += 1; } //End the Error message $errMsgs .= "</ul>"; //Final Check if ($valid == true) { echo "Welcome {$fName}, {$lName},{$city} {$state} {$zipCode}"; } else { echo $errMsgs; } } ?> <form action="script.php" method="get"> <input type="hidden" name="Type" value="z"> <input type="text" name="fName"> <input type="text" name="lName"> <input type="text" name="city"> <input type="text" name="state"> <input type="text" name="zipCode"> <input type="submit" value="Submit"> </form> Worked fine for me. Results Sorry, something's wrong with your Data Input! You did not provide fName You did not provide lName You did not provide state Welcome This, Is,A Test Script
  2. I understand the idea, and of course they may have a difficult time figuring out the key's encryption, I'm just saying it would still be possible if they're capable enough, and I understand that's an inevitable factor which nobody can deny. But I also see where you're coming from, stating average user/script-kiddy, seeing as the people I'm talking about aren't exactly 'big-crackers' so to speak, so I totally agree with you. I never bothered with POST Requests through .NET mainly because I had no clue it actually worked. I was told so by my teacher back in College. I guess he wasn't much of a teacher, then.. I'm sorry for not being literal on the 'scan' part, I meant that they decompiled the Program itself, and just read bits and pieces of fragments of the code that remained, and eventually put together the required pieces for the 'recipe' (Link + Paramters). I have currently solved the solution by over-extending your suggestion of using a Key. This is what I did: Note that when I said Webbrowser, I was also not specific. What I meant was it's a hidden Browser which the user can't see nor navigate through, so all Requests to the pages, are hidden. 1. Created a very long Hash Key (no encryption yet) 2. Added the Additional User Crendetials (Everything combined) to the Hash (Hash &= Extras) 3. I then encrypted the Key, X amount of times, and used it to send as a parameter to the webscript. 4. Additionally, I exaggerated the security check by encrypting the Username & Passwor X amount of Times, that are also sent to the Script. 5. The receiving end - The Script - then checks if the Key matches the Script's Generated Version of the Key, and also checks if the Session's Username & Password matches the Hashed Username & Password sent from the program, to the script. 6. I compiled the Program 7. I obfuscated as much as I possibly could, making it more difficult to read & crack. 8. Shared it with my large playerbase. This seems to have worked out thus far, and I'm hoping it will stay that way. I thank you for your help, it's appreicated. I'd also like to ask how You'd send POST Requests from .NET, like Let's say I grab the User's HWID, and there's a type="hidden" field of the POST Form, how would I make the Script determine that the hidden field for HWID, should contain the details of .NET's variable that grabs the HWID?
  3. I understand the concept of this, but if they re-scan the new program and see the Hash being let's say "somesalt" Then wouldn't they be able to just get a Free-web host, and get the parameters like this: echo sha1('somesaltusername=myuser&password=mypass'); And eventually do it as Technically?
  4. You will find it very difficult to make a .NET Program (Using Browser to send Data) to send a Machine's HWID in a POST Form since that is actually done through a Browser and I can't think of a way to send that data to the webscript without using GET. And thank you, trq, for the input, I will give it a go.
  5. Thanks a lot for helping! Well, I did a sneaky thing by reversing the Username & Password $_GET values to be rendered useless, by using Session instead. Because the program requires authentication before sending the parameters, so now it'll base it on those paramters instead. So now they cannot do that to the Script that actually is worth protecting However, if they find the link to the Authentication Script, they may just as well be able to do the very same thing again. I'm stumbled.
  6. Hi. I recently developed a .NET Program (including GUI) which would send data to a website/dir/script.php by using the GET Method. However people are able to scan the program to find the path of the Script, and add in their own $_GET Data like Username=user&pass=pass, etc. I want to block how they manage to input their own data, and just allow it through the program. I know this may sound stupid, and probably is very delicate thing to do, but I really do need it. The reason it should require the program, is because it uses the Machine's HWID to make sure they only do the Form 1 time a day (Data inserted to MySQL DB) Currently they are for example changing their HWID everytime they do a new request. So my question is, is there any way to block user-input of GET variables ?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.