I am going to protect the data an user enters in a forum using a hash value. I referenced to the following:
$hex = bin2hex(random_bytes(32));
$split = str_split($hex, 2);
array_unshift($split, '');
$secret = implode('\\x', $split), "
";
$id = 12345;
$hash = hash_hmac('sha256', $id, $secret);
source: owasp.org
It then states that this hash value can be passed along with the ID in the URL and can be verified like this in a different PHP script:
$secret = 'hash';
$id = $_REQUEST["id"]; //in this case the value is 12345
if (hash_equals(hash_hmac('sha256', $id, $secret), $_REQUEST["hash"])) {
//no tampering detected, proceed with other processing
} else {
//tampering of data detected
}
However, how have they passed the $secret variable to the different PHP script? I assume adding it to the url would completely defeat the purpose of the protection.