Home > A PHP form obfuscator; secure and spam free PHP forms

A PHP form obfuscator; secure and spam free PHP forms

https://github.com/Codingrecipes/PHPFormObfuscator

Example usage:

<?php
 
        session_start();
	require_once 'class_obfuscator.php';
 
	$form_fields = array('username', 'password', 'email');
	$obfuscator  = new Form_Obfuscator($form_fields);
	$obfuscator->set_secret_key('My Secret Key - ET8439FSKJ - EDIT THIS');
 
	if( empty($_POST) ) {
		$fields   = $obfuscator->obfuscate();
		$_SESSION['__enc_form__'] = $obfuscator->encode_form();
		?>
<form action="" method="post">
	Name:<br /><input type="text" name="<?php echo $fields['username']; ?>" /><br /><br />
   Password:<br /><input type="password" name="<?php echo $fields['password']; ?>" /><br /><br />
   Email:<br /><input type="email" name="<?php echo $fields['email']; ?>" /><br /><br />
   <input type="submit" />
</form>
      <?php
	} else {
		foreach ($_POST as $key => $value) $_POST[ $key ] = trim(strip_tags($value)); /* Filter input */
		$form = $obfuscator->decode_form($_SESSION['__enc_form__'], $_POST);
 
		foreach ($form as $key => $value) $form[ $key ] = htmlentities($value, ENT_QUOTES, 'utf-8'); /* Escape output */
		echo "Username: {$form['username']}<br />
				Password: {$form['password']}<br />
				Email: {$form['email']}";
	}
 
?>

This is a class I developed a while back while working on a project of mine and we already know that it’s very effective.

In order to understand what it does you need to first understand how a browser sends a POST request.
When a user submits a form, browser sends something like this to the server:

POST /somepage.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: THE LENGTH

username=blah&password=blah&email=some_email

There are 2 problems with this:

1 – Someone along the way can view the password and email address by looking at the packets that are going to the server. (take a look at Wireshark software)

2 – You can send automatic queries to servers, for example automated spam through contact forms works like this. (some spam software can also read Captcha images so you need more protection)

The class I developed will change this POST request to something like this:

POST /somepage.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: THE LENGTH

JDF8W9JHF=blah&OEROWF83=blah&VLKDSFOE=some_email

Note that the field names are changed to random strings, and they also change every time the form is shown, so:

1 – Even if a user in the middle can see the packets, he/she won’t know that OEROWF83 stands for “password”.

2 – A spam software won’t have a way of guessing the field names because they are random every time. There is also a secret encryption key which you only know what it is.

Questions and comments are welcome

Filed under: PHP,Security,Web Development Posted by: CodingRecipes

10 Comments »

jesusvld:

Excellent work!! thank you for share

Comment
chiefrunningnose:

Sounds like a good idea, but how the hell do you use it. Where do you put it. How do you link to it? I downloaded it expecting some comment/instructions but found none.

Comment
Codehead:

Hey, how much experience do you have with PHP?
I suggest that you take a look at the file “example.php” which is included in the ZIP file and see how it works.

Comment
KRD:

I can’t seem to get this working in a PHP4 environment. It works perfectly (nice work) in PHP5….any ideas on why it’s a no go in 4?

Comment
Codehead:

KRD, the main reason is this:
http://developers.slashdot.org/article.pl?sid=07/07/14/0646216

It’s because it uses PHP5′s member visibility keywords like public, private etc.

You can make it work with PHP4 if you replace all these keywords, you will have to replace the ones before member variables with “var” (no quotes) and delete the ones before methods.

Comment
Richard Kimber:

I’m testing this on my PC with PHP 5

I get an error:

Fatal error: Call to undefined function mcrypt_get_iv_size() in /home/psrwebs/PSR/search/class_obfuscator.php on line 80

Comment
Codehead:

Richard, you need this: http://us3.php.net/manual/en/book.mcrypt.php

Comment
Jon:

Sweet!

Comment
Jon:

Would it be of much use to have the secret key automatically change? like a unix date+rand0mCh@ract3rs
? or would this just be wasting time.. Reason I ask is this does good with obfuscating the input fields, but if the secret key that the generated field is based off of changes daily, the possibility of someone figuring out the fields decreases more, right? Or is this just pushing the lines of paranoia?

Comment
Fatih:

Thanks! you saved my time, I was about to write one. I guess I will change it a little

Comment

RSS feed for comments on this post. TrackBack URL

My name is Hamid Alipour and I'm an indie developer. More...
Contact Me
Downloads
- Tabs Plus - Awesome lightweight browser that will make it more convenient to be connected. With Facebook, Twitter and Gmail notifications. Tabs Plus also has built-in/super quick sharing and many more convenient features.
- ShareOver - This will change the way you share links and videos.
- Benchmark - A benchmarking utility for Mac OS X.
- RAM Optimizer - Automated memory optimization tool. You can get up to 2X faster app launch times using this app.
- DirectorySync - You can hit save and save your work in 3 places at the same time, all automated.
- PHPCache
- PHP form obfuscator
- PML - A Python template engine
- Simple Captcha Script
RSS Feed

Subscribe
Search

Search for:

CodingRecipes

A PHP form obfuscator; secure and spam free PHP forms

10 Comments »

Leave a comment

Downloads

RSS Feed

Search