Home/ Questions/Q 7060647
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T04:22:39+00:00

I want to validate some hidden input fields (to make sure they arent changed

  • 0

I want to validate some hidden input fields (to make sure they arent changed on submission) with the help of a sha-encoded string of the key value pairs of these hidden fields. I saw examples of this online but I didnt understand how to encode and
decode the values with a dynamic secret value. Can someone help me understand how to do this in perl?

Also which signature type (MD5, SHA1, SHA256, etc), has a good balance of performance and security?

update

So, how do you decode the string once you get it encoded?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What you really need is not a plain hash function, but a message authentication code such as HMAC. Since you say you’d like to use SHA-256, you might like HMAC_SHA256, which is available in Perl via the Digest::SHA module:

    use Digest::SHA qw(hmac_sha256_base64);

my $mac = hmac_sha256_base64( $string, $key );

    Here, $key is an arbitrary key, which you should keep secret, and $string contains the data you want to sign. To apply this to a more complex data structure (such as a hash of key–value pairs), you first need to convert it to a string. There are several ways to do that; for example, you could use Storable:

    use Storable qw(freeze);

sub pairs_to_string {
    local $Storable::canonical = 1;
    my %hash = @_;
    return freeze( \%hash );
}

    You could also URL-encoding, as suggested by David Schwartz. The important thing is that, whatever method you use, it should always return the exact same string when given the same hash as input.

    Then, before sending the data to the user, you calculate a MAC for them and include it as an extra field in the data. When you receive the data back, you remove the MAC field (and save its value), recalculate the MAC for the remaining fields and compare it to the value you received. If they don’t match, someone (or something) has tampered with the data. Like this:

    my $key = "secret";
sub mac { hmac_sha256_base64( pairs_to_string(@_), $key ) }

# before sending data to client:
my %data = (foo => "something", bar => "whatever");
$data{mac} = mac( %data );

# after receiving %data back from client:
my $mac = delete $data{mac};
die "MAC mismatch" if $mac ne mac( %data );

    Note that there are some potential tricks this technique doesn’t automatically prevent, such as replay attacks: once you send the data and MAC to the user, they’ll learn the MAC corresponding to the particular set of data, and could potentially replace the fields in a later form with values saved from an earlier form. To protect yourself against such attacks, you should include enough identifying information in the data protected by the MAC to ensure that you can detect any potentially harmful replays. Ideally, you’d want to include a unique ID in every form and check that no ID is ever submitted twice, but that may not always be practical. Failing that, it may be a good idea to include a user ID (so that a malicious user can’t trick someone else into submitting their data) and a form ID (so that a user can’t copy data from one form to another) and perhaps a timestamp and/or a session ID (so that you can reject old data) in the form (and in the MAC calculation).

    • 0