Validating web site form field with encrypted information

Forum Moderators: coopster & phranque

Message Too Old, No Replies

Validating web site form field with encrypted information

Tonyd7

1:18 am on Aug 16, 2007 (gmt 0)

I am developing a web site that is for a promotions company. The company will be handing out 40,000 flyers, each with a unique six digit code on it.

The person that receives a flyer will go to the web site and enter their six digit code. If their six digit code matches the winning six digit code (that only I know), then they will win a prize.

I know how to do everything so far (HTML form, parsing the form, checking their code against my code), but I don't know how to hide the winning six digit code in my Perl script. I need to prevent someone from viewing my script and finding out the winning code.

I am looking for suggestions on how to hide the winning code from hackers...

Thanks,

Tony

zCat

3:15 am on Aug 16, 2007 (gmt 0)

Unless your server is set up very badly, no-one should be able to view the script source anyway.

perl_diver

3:56 am on Aug 16, 2007 (gmt 0)

put the winning number in a seperate file or a database. A database would be best. Even if you use encryption, you will have to include the salt in your script to validate the number. While that will be harder to decipher than if you just put the winning number in your scrit, it will not be fool-proof. A person could potentially see the encrypted code in a file, and the see the encryption method and the salt in the script and write a small program to find out which six digit combination returns the encrypted string using that salt. It would be fairly easy to crack, if, they could see the encoded string and the salt. But "fairly easy" is still very difficult for the averge person, if not impossible.

perl_diver

4:00 am on Aug 16, 2007 (gmt 0)

Unless your server is set up very badly, no-one should be able to view the script source anyway.

I totally agree with that. But to be safe put the winning code in a databse or in a file that does not have web access (above root).