Thank you William,
It will take me a few days to try this because of work, but this I
will do : )
On Oct 4, 1:29 am, William <[EMAIL PROTECTED]> wrote:
> the technique seems to work on my PHP 4 server. Try the following
> procedure.
>
> 1. Verify PHP Configuration
>
> make a simple php page that gets information about your server. If
> you are worried about security delete this page after you've used it!!
> -------------------------------------------------------------------------------
> <?php phpinfo() ?>
> -------------------------------------------------------------------------------
>
> In the "Session" section, verify it says "Session Support: Enabled"
>
> In the list of directives look at "session.auto_start". If this is
> "Off", you will require session_start(); at the start of your php
> pages.
>
> 2. Token Creation
>
> create a php form
> -------------------------------------------------------------------------------
> <?php
> session_start();
> $_SESSION['token'] = uniqid(md5(microtime()), true);
> ?>
> <html>
> <head></head>
> <body>
> <form id= "search_form" method="get" action="testphp.php">
> <input type="hidden" name="token" value="<?php echo
> $_SESSION['token'] ?>" />
> <input type="text" name="name" value=""
> maxlength="256" size="50" /
>
> <input type="submit" value="Search" />
> </form>
> </body>
> </html>
> -------------------------------------------------------------------------------
>
> and view the source to ensure it contains the token (and maybe php
> session)
>
> <input type="hidden" name="PHPSESSID"
> value="8c253b566571cb8c47e19c2037470878" />
> <input type="hidden" name="token"
> value="28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232" />
>
> 3. Valid Token processing
>
> create testphp.php
> -------------------------------------------------------------------------------
> <?php
>
> session_start();
>
> // get token variables
> $token_session = $_SESSION['token'];
> $token_url = $_GET['token'];
>
> // compare them
> $comparison = $token_session == $token_url;
>
> // set the token to a new value to ensure it is only used once.
>
> $_SESSION['token'] = uniqid(md5(microtime()), true);
>
> echo 'Token in session [' . $token_session .']<br>';
> echo 'Token from URL [' . $token_url . ']<br><br>';
> echo 'Are they equal? ' . ($comparison ? 'Yes' : 'No') . '.<br>';
>
> if (!$comparison) {
> die('Invalid token.');} else {
>
> echo 'Valid token.';
>
> }
>
> ?>
> -------------------------------------------------------------------------------
>
> Token in session
> [28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232]
> Token from URL
> [28da62665aa59f2aac9fb14fbb9af4fb48e7216117fba0.52467232]
>
> Are they equal? Yes.
> Valid token
>
> 4. Invalid Token processing
>
> (a) Refresh testphp.php and it should say "Invalid token" because
> there's a new token in the session.
>
> (b) Press back button to get back to the php form, and resubmit it.
> It might say "invalid token" if the php form has been cached on your
> browser.
>
> (c) create a html file with a fake form:
> -------------------------------------------------------------------------------
>
> <html>
> <head></head>
> <body>
> <form id= "search_form" method="get" action="testphp.php">
> <input type="hidden" name="token" value="blue" />
> <input type="text" name="name" value=""
> maxlength="256" size="50" /
>
> <input type="submit" value="Search" />
> </form>
> </body>
> </html>
> -------------------------------------------------------------------------------
>
> This should say "invalid token"
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Maps API" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/Google-Maps-API?hl=en
-~----------~----~----~----~------~----~------~--~---
