2
從http://fullthrottledevelopment.com/php-nonce-library#download,有一個PHP隨機數庫,但有一些我不明白的東西。第一個是它提醒我們爲FT_NONCE_UNIQUE_KEY設置一個值,但它從未在任何函數中使用它。這個PHP隨機數庫如何工作?
第二件事是,當我呼叫ft_nonce_create_query_string函數時,等待幾秒鐘,然後用相同的參數再次調用它,兩個調用返回相同的值。這很奇怪,我真的不明白如何確保它產生的每個隨機數,隨機數在FT_NONCE_DURATION指定的時間內有效。
但是如果我在第二次調用之前等待更長的時間,它們將返回不同的值。我粘貼了代碼here,以便您可以嘗試直接運行它。
這是爲什麼?它應該如何工作?
<?php
/*
* Name: FT-NONCE-LIB
* Created By: Full Throttle Development, LLC (http://fullthrottledevelopment.com)
* Created On: July 2009
* Last Modified On: August 12, 2009
* Last Modified By: Glenn Ansley ([email protected])
* Version: 0.2
*/
/*
Copyright 2009 Full Throttle Development, LLC
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
define('FT_NONCE_UNIQUE_KEY' , '');
define('FT_NONCE_DURATION' , 300); // 300 makes link or form good for 5 minutes from time of generation
define('FT_NONCE_KEY' , '_nonce');
// This method creates a key/value pair for a url string
function ft_nonce_create_query_string($action = '' , $user = ''){
return FT_NONCE_KEY."=".ft_nonce_create($action , $user);
}
// This method creates an nonce for a form field
function ft_nonce_create_form_input($action = '' , $user=''){
echo "<input type='hidden' name='".FT_NONCE_KEY."' value='".ft_nonce_create($action . $user)."' />";
}
// This method creates an nonce. It should be called by one of the previous two functions.
function ft_nonce_create($action = '' , $user=''){
return substr(ft_nonce_generate_hash($action . $user), -12, 10);
}
// This method validates an nonce
function ft_nonce_is_valid($nonce , $action = '' , $user=''){
// Nonce generated 0-12 hours ago
if (substr(ft_nonce_generate_hash($action . $user), -12, 10) == $nonce){
return true;
}
return false;
}
// This method generates the nonce timestamp
function ft_nonce_generate_hash($action='' , $user=''){
$i = ceil(time()/(FT_NONCE_DURATION/2));
return md5($i . $action . $user . $action);
}
if (FT_NONCE_UNIQUE_KEY == ''){ die('You must enter a unique key on line 2 of ft_nonce_lib.php to use this library.'); }
?>
我想我現在明白了爲什麼它返回相同的值,因爲它必須這樣做,這對我們來說是有效的。但另一方面,這種行爲會使每個函數調用返回的隨機數值具有可變的持續時間長度? – bobo 2009-11-25 10:32:47
儘管其持續時間現在設置爲5分鐘,但從ft_nonce_create_query_string()函數返回的nonce值在5分鐘內可能並不真正有效。如果在下一個時間間隔前1分鐘被調用,那麼它僅在1分鐘內有效?我的想法是否正確? – bobo 2009-11-25 10:49:28