Let me explain. Let's says you pass the redirect url in a parameter: http://mysite.com/redirect.php?url=redirectsite.com
When you create this url, you can add a hash (md5 or sha) of the "redirectsite.com" as a second parameter i.e. http://mysite.com/redirect.php?url=redirectsite.com&hash=09acbb404b64f1fc04d7ee0584ac4851 Now in redirect.php you should compare the hash of the "url" parameter with the value of the "hash" parameter and redirect only if they match. Now let's say bad guys figured out that you use md5 to generate the hash parameter. They can easily generate the md5 hash of the url parameter themselves and bypass your security check. To make it almost impossible for hackers to generate the the correct hash parameter, you should add some "salt" the the url before creating the hash. I.e. instead of md5(url) you should do md5(salt+url), where "salt" is some hard to guess string constant. Now in redirect.php you should compare md5(salt+url) with hash. Now hackers can't generate valid hash themselves since they don't know the "salt". I guess you get the idea. Denis http://www.UnmaskParasites.com --~--~---------~--~----~------------~-------~--~----~ You received this message through the Google Groups "stopbadware" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/stopbadware?hl=en -~----------~----~----~----~------~----~------~--~---
