On Sunday 05 January 2003 07:43 am, Phil Powell wrote: > I tried using REQUEST_URI but I didn't get the results I wanted. How will > process.asp know that process.php called it in order to do what it should > do?
if you can get $_SERVER["REMOTE_ADDR"] or $HTTP_REMOTE_ADDR and if you can trust it (not only that it's right, but also that there are no man in the middle attacks or other scripts on the client that can pretend to be your script) then you could just check that the request is coming from the right IP. alternatively, you could use hashes that change from one invocation to the next (to avoid replay attacks). the server and the client should both have a secret passphrase (perhaps even a whole set of them, one for each day, and generated every month or so). on the client (process.php) randomly generate a string, e.g., $randstr. create a hash based on the secret passphrase and the randstr, e.g, $hash=makeMyHash($passphrase.$randstr); /* use whatever hash function you want: openssl, mhash, mcrypt or whatever you use */ send the randstr and the hash along with the rest of the data. on the server side, process.asp takes the randstr, takes the hash as above, and compares the hash generated with the hash passed in. if they don't match, don't reply. if they match, then the request comes from process.php (unless you're really paranoid, in which case, add some more hoops for process.php to jump through :). tiger -- Gerald Timothy Quimpo tiger*quimpo*org gquimpo*sni-inc.com tiger*sni*ph Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" Veritas liberabit vos. Doveryai no proveryai. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php