0

At the beginning of every php script, I loop through the possible POST and GET inputs, filter them properly, so later when I need an input, I can use my custom, safe, filtered variable, (which is an array, that holds POSTS and GETS) and I do not have to touch $_GET and $_POST.

If the variable is a hash-value, either a 40 character SHA1, or a 64 character Adobe Stratus ID, how do I recognise them?

I do not want the user, to post some nonsense data.

Ágota Horváth
  • 1,353
  • 3
  • 13
  • 20

4 Answers4

1

To test whether a string is a x length hash value or not:

$x = 40
$string = "inputstring";
$boolResult = (preg_match('/^[0-9a-f]{'$x'}$/i', $string) == true) ? true : false;
Gábor DANI
  • 2,063
  • 2
  • 22
  • 40
0

I do not agree that you should avoid _POST and _GET access, but instead you should clean them where possible to avoid XSS. (https://en.wikipedia.org/wiki/Cross-site_scripting). CodeIgniter has a great security library you can pinch and plug into your own stuff.

Other than that, I'm not sure... but I think you are asking to decrypt hashed values from the session?

lukeocodes
  • 1,192
  • 1
  • 16
  • 31
0

When most of the hash sha , md5 etc returns hex format .. you can easily detect them using ctype_xdigit

if (ctype_xdigit($value)) {
    // It must be Hex
}

I don't know what Adobe Stratus ID looks like but you can easily validated that with preg_match too.

Some can also come in base64 you can also validated that with 

if ( base64_encode(base64_decode($data)) === $data){
   // it must be base 64
}
Baba
  • 94,024
  • 28
  • 166
  • 217
0

you can match a SHA1 hash with a regex like :

/[0-9a-f]{40}/

in PHP :

foreach($_GET as $get) {
    if (preg_match('/[0-9a-f]{40}/i', $get)) {
        // do something
    }
}
max collomb
  • 872
  • 7
  • 3