Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is basically extending the encoded input field trick with another (CSS)hidden field.

You can get rid of the (CSS)hidden field by using just the encoded field names instead. That will prevent someone from just copying the HTML field and mass submitting the same form with multiple IPs etc...

E.G. Encode all the input field names using the session ID and some salt (maybe the URL of the page?). I've done something similar in PHP previously as :

  public function encodedFieldName( $name ) {
  	return hash( 'ripemd160', $name . FIELD_KEY . $this->IP() );
  }
...Where FIELD_KEY is a pre-defined random string unique to the application or you can set it to the user's session/cookie etc... And IP() is, well, just getting the IP.

You can then retrieve the actual field name using something like...

  public function encodedFieldValue( $name, $fields = array() ) {	
  	$enc = $this->encodedFieldName( $name );
  	foreach ( $fields as $k => $v ) {
  		if ( $k === $enc ) {
  			return $v;
  		}
  	}
  	return NULL;
  }
And then you can use it as...

  $name = $this->encodedFieldValue( 'name', $_POST );
If you're really paranoid, you can add two extra hidden fields that's a nonce and some unique key (maybe using the session_id)

  $nonce	= hash( 'tiger160,4', $this->someRandomStr( 10 ) );
  $pk		= hash( 'tiger160,4', $nonce . session_id() );
  
  $nonce_name	= $this->encodedFieldName( 'nonce' );
  $pk_name	= $this->encodedFieldName( 'pk' );
Send PK and nonce to the user in the hidden fields...

  echo "<input name='{$nonce_name}' value='{$nonce}' />"; 
  echo "<input name='{$pk_name}' value='{$pk}' />";
...When checking form input recalculate the PK with the nonce to see if it matches later.

  $nonce	= $this->encodedFieldValue( 'nonce',	$_POST );
  $pk		= $this->encodedFieldValue( 'pk',	$_POST );

  if ( $pk ===  hash( 'tiger160,4', $nonce . session_id() ) ) {
  	return true;
  }


Perhaps I'm misunderstanding your post, but that's exactly what this does.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: