Click here to Skip to main content
15,302,851 members
Articles / Web Development
Tip/Trick
Posted 13 Mar 2015

Tagged as

Stats

9.4K views
22 downloads
2 bookmarked

Naming Form Elements Dynamically

Rate me:
Please Sign up or sign in to vote.
4.00/5 (1 vote)
13 Mar 2015CPOL1 min read
I am just applying the principle of Defence in Depth

Introduction

In this tip, I am going to add one more security layer to a web form submission.

Normally, when naming form elements, we choose static/fixed name for each element.

In my technique, I am going to hash the names of the form elements using dynamic salted values, so that a name of an element varies from a user to another!

Namely, I choose a concatenation of the “IP address, the user agent, beside a fixed string” as a salt to hash the name of a form element.

This way, we greatly reduce the risk of playing with our form!

Using the Code

Here is a PHP function that hashes a name of a form element using SHA1 and a dynamically salted string:

PHP
function HashedFieldName($field){
$salt='hawom169';
$fullSalt=$_SERVER['HTTP_USER_AGENT'].getRealIpAddr().$salt.$field.$salt;
return 'A'. substr(sha1($fullSalt),0,20);
}

The function getRealIpAddr() is used to get the user IP address, I  took it from https://gist.github.com/owcall/2928583.

Then, the function HashedFieldName($field) is used to name a form element like this:

PHP
<?php $namefield='username';?>
<input type="text" id="txtname" name="<?php echo(HashedFieldName($namefield)) ?>">

Looking carefully to the code, we will see that I used a fixed value for the ID property of the text element; this way, we can easily access that element via JavaScript at the client side:

JavaScript
var obj=document.getElementById('txtname');
   if(obj.value==''){
       window.alert('You must enter your name');
	   obj.focus();
	   return false;
    }

To expose the form submitted data at the server side, we may use a code like this:

PHP
echo("Thank you " . $_POST[HashedFieldName($namefield)].",Your registration is completed successfully!");

What is Next?

In my next article, I am going to provide a complete solution that uses my technique: Preventing Resending by Refresh and Reducing the Need of Captcha.

Points of Interest

  • The example is provided in PHP, it is obvious that it can be used by any other technology such as .NET or Java.
  • The same technique can also be used for dynamically naming cookies (session cookies), which reduces the risk of cookie theft.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Mekki Ahmedi
Software Developer ,Lecturer,University of Bisha, KSA
Sudan Sudan
Sudanese people is so peaceful, they have been affected greatly from the ban

Comments and Discussions

 
Questionproject Pin
phpsystems13-Nov-15 21:32
Memberphpsystems13-Nov-15 21:32 
AnswerRe: project Pin
Mekki Ahmedi15-Nov-15 19:07
MemberMekki Ahmedi15-Nov-15 19:07 
GeneralGood Approach - Requires In Sync Coding at Consuming Side Pin
John Willson16-Mar-15 9:26
professionalJohn Willson16-Mar-15 9:26 
GeneralRe: Good Approach - Requires In Sync Coding at Consuming Side Pin
Mekki Ahmedi17-Mar-15 0:25
MemberMekki Ahmedi17-Mar-15 0:25 
GeneralRe: Good Approach - Requires In Sync Coding at Consuming Side Pin
Mekki Ahmedi15-Nov-15 19:06
MemberMekki Ahmedi15-Nov-15 19:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.