Home/ Questions/Q 7926477
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T18:47:13+00:00

I have a script on my webserver that initiates a HTTPS connection with a

  • 0

I have a script on my webserver that initiates a HTTPS connection with a secured payment solution. The payment solution allows the user to store its credit cards credentials, so the script’s integrity is mandatory.

The script is called from web and from a web browser launch by an iPhone application.
It takes several POST values in entry:

  • user ID
  • value
  • currency
    … etc

to generate the initial request with the payment solution.

My goal is to secure, as much as possible, the POST values sent to the script to avoid attacks, essentialy because anyone could see the POST variables it takes in entry with a simple Firebug.

The script is reached via HTTPS protocol, and this is what I came up with in order to secure the content data :

if (!empty($_POST)) {

    $uid = $_POST['uid'];
    $nonce = $_POST['nonce'];
    $request_timestamp = $_POST['time'];

    //other useful values ...
}

/*
 * Test 1 : is the nonce correct ? (Example of possible hash)
 */
if (strcmp(md5($uid . $request_timestamp . 'mygrE4TpassPhraZ'), $nonce) !== 0) {
    echo 'Bad nonce';
    exit;
}

/*
 * Test 2 : is the timestamp value acceptable ? 10 seconds maximum here.
 */
if (time() - $request_timestamp > 10) {
    echo 'Request too old';
    exit;
}

/*
 * Test 3 : is this request is the first valid one that I receive with those credentials for this user ?
 */
if (strcmp(User::getOnGoingNonce($uid), $nonce) === 0) {
    echo 'Request already registered';
    exit;
}

//direct database access
User::setOnGoingNonce($uid,$nonce);

/*
 * Finally, chat granted with the payment solution ...
 */

Do you think this is secure enough ? Do you have cleaner solutions ?

Inputs would be greatly appreciated, thank you in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It is good developer practice to sanitize and filter every user input. There is a special PHP function for that purpose, available to make a programmer’s life easier. It is called filter_var().
    If you work with arrays you can use the filter_var_array().
    See here for details.

    So, the practical solution to your code should be something like this:

    $uid = filter_var($_POST['uid'], FILTER_SANITIZE_NUMBER_INT);
$nonce = filter_var($_POST['nonce'], FILTER_SANITIZE_STRING);
$request_timestamp = filter_var($_POST['time'], FILTER_SANITIZE_STRING);

    I assume, that ‘uid’ is a integer, other variables are strings. But you can choose whatever filter you need. See here for type of filters.

    When sanitizing the user input you ensure, that your script will not allow SQL injection attacks, for example, or XSS attacks.

    • 0