2017 © Pedro Peláez
 

library query-signer

Creates control hash for specified $_GET params and validate them

image

thscz/query-signer

Creates control hash for specified $_GET params and validate them

  • Sunday, April 15, 2018
  • by michalsemelka
  • Repository
  • 0 Watchers
  • 0 Stars
  • 4 Installations
  • PHP
  • 0 Dependents
  • 0 Suggesters
  • 0 Forks
  • 0 Open issues
  • 2 Versions
  • 0 % Grown

The README.md

Creates control hash from values and validate them

This tool was created as part of my learning and playing with PHP OOP, Composer and PHPUnit., (*1)

Usage

composer require thscz/query-signer

Sign

e.g.: file orders.php - User wants to sign "id" value (45623)., (*2)

require_once 'vendor/autoload.php';

// ...
// <a href="/order/45623">Order detail</a>

$querySigner = new \THSCZ\QuerySigner\QuerySigner('supersecrtet');
$hash = $querySigner->sign([45623]);

echo '<a href="/order/45623/&hash='. $hash .'">Order detail</a>';

Validate

On validation page:, (*3)

// /order/45623/&hash=xxx
require_once 'vendor/autoload.php';

$hash = filter_input(INPUT_GET, 'hash');
$orderId = filter_input(INPUT_GET, 'orderId');

$querySigner = new \THSCZ\QuerySigner\QuerySigner('supersecrtet');

if ($querySigner->validate([$orderId]) {
    // approved
} else {
    // denied
}

Usage with expiration store

You can create hash with TTL (time to live) in seconds. For this option you have to use Expiration Store thats implements ExpirationStoreInterface and stores information about which hash has which expiration., (*4)

interface ExpirationStoreInterface {

    /**
     * @param $hash string created by QuerySigner
     * @param $timestamp integer UNIX timestamp value when hash expires
     * @throws ExpirationStoreException
     */
    public function set(string $hash, int $timestamp): void;

    /**
     * @return integer|null UNIX timestamp value when hash expires
     * @throws ExpirationStoreException
     */
    public function get(string $hash): ?int;

    /**
     * Deletes expiration information for hash
     * @param $hash string created by QuerySigner
     * @throws ExpirationStoreException
     */
    public function revoke(string $hash): void;

}
 ```
This package comes with very simple FileExpirationStore that stores information expiration value on file system. Expiration store is second
parameter of QuerySigner class.

```php
require_once 'vendor/autoload.php';

// ...
// <a href="/order/45623">Order detail</a>

$querySigner = new \THSCZ\QuerySigner\QuerySigner('supersecrtet', new \THSCZ\QuerySigner\Store\FileExpirationStore(__DIR__ . '/var/signs'));
// hash is now valid for current UNIX timestamp + 60 seconds
$hash = $querySigner->sign([45623], 60);

echo '<a href="/order/45623/&hash='. $hash .'">Order detail</a>';

Idea for this little tool came to my mind when I was working on some 
3rd party exotic system, that was unable to validate that item belonged
really to signed user

The Versions

15/04 2018

dev-master

9999999-dev

Creates control hash for specified $_GET params and validate them

  Sources   Download

MIT

The Requires

  • php ^5.6 || ^7.0

 

The Development Requires

by Michal Semelka

url security query validate sign

15/04 2018

1.0.0

1.0.0.0

Creates control hash for specified $_GET params and validate them

  Sources   Download

MIT

The Requires

  • php ^5.6 || ^7.0

 

The Development Requires

by Michal Semelka

url security query validate sign