Source-Code: /secapp/mitigation/index.php
<?php
include "../header.php";
include "../menu.php";
?>
<div id="content">
<h2>Demo-Formular (Hidden Form Field "PersonenTyp")</h2>
<div class="articles">
<?php
if (!isset($_REQUEST['action']))
{
?>
<form action="" method="post" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="action" value="submit"/>
<label for="Vorname">Vorname:</label>
<input name="Vorname" type="text" value="" size="30"/><br/>
<label for="Nachname">Nachname:</label>
<input name="Nachname" type="text" value="" size="30"/><br/>
<?php $typ="Student"; $typ_hmac=(hash_hmac("sha256", $typ, "my Secret Key for HMAC", false)); ?>
<input name="PersonenTyp" type="hidden" value="<?php print($typ);?>"/>
<input name="PersonenTyp_HMAC" type="hidden" value="<?php print($typ_hmac);?>"/>
<label for="Senden"> </label>
<input type="submit" name="Senden" value="absenden"/>
</form>
<?php
} else {
?>
Folgende HTTP POST Parameter wurden empfangen:<br/> <br/><pre>
<?php print_r($_POST);
$typ=$_POST["PersonenTyp"];
$typ_hmac=$_POST["PersonenTyp_HMAC"];
$typ_hmac_calc=(hash_hmac("sha256", $typ, "my Secret Key for HMAC", false));
if ($typ_hmac===$typ_hmac_calc) { $Check = "HMAC-Check OK, Hidden-Form-Field trusted!"; }
else { $Check = "HMAC-Check fehlgeschlagen, Hidden-Form-Field wurde modifiziert!"; }
?>
</pre><br/>
<h2><?php print($Check); ?></h2>
<a href="<?php print(dirname($_SERVER['SCRIPT_NAME'])); ?>">zurück</a>
<?php
}
?>
</div>
</div>
<?php
include "../footer.php";
?>