sandpiper/utilities/comment_key.php

<?php
/***********************************************
 * Comment Key Generation System
 ***********************************************
 * By Starbeamrainbowlabs <feedback@starbeamrainbowlabs.com>
 *
 * A set of functions to protect low-value comment boxes, contact us 
 * forms, etc. from spam.
 *
 * It works by recording the time the page the form is on was loaded, 
 * and then checking to make sure that it was loaded for at least 
 * 10 - 15 seconds, and not more than 24 hours.
 *
 * This is done by taking the current UNIX timestamp, running it through 
 * a number of (arbitrary) reversible transformations, and then 
 * embedding it in the form as a hidden field. When the form is 
 * submitted, the transformations are reversed and the time the page 
 * was loaded checked.
 *
 * Note that this is not suitable for high-value targets, as it can very
 * easily be bypassed and reverse-engineered by any determined human.
 *
 ***********************************************
 * Changelog:
	* 30th January 2018:
		* Initial Release.
 */

/**
 * Generates a new comment key.
 * Note that the 'encryption' used is not secure - it's just simple XOR!
 * It's mainly to better support verification in complex setups and 
 * serve as a nother annoying hurdle for spammers.
 * TODO: Swap out the XOR for openssl AES symmetric encryption
 * @param  string $pass The password to transform it with. Should be a pre-selected random string.
 * @return string       A new comment key stamped at the current time.
 */
function key_generate($pass) {
	$new_key = strval(time());
	// Repeat the key so that it's long enough to XOR the key with
	$pass_enc = str_repeat($pass, (strlen($new_key) / strlen($pass)) + 1);
	$new_key = $new_key ^ $pass_enc;
	return base64_encode(strrev($new_key));
}
/**
 * Decodes the given key.
 * @param  string $key  The key to decode.
 * @param  string $pass The password to decode it with.
 * @return int			The time that the key was generated.
 */
function key_decode($key, $pass) {
	$key_dec = strrev(base64_decode($key));
	// Repeat the key so that it's long enough to XOR the key with
	$pass_dec = str_repeat($pass, (strlen($key_dec) / strlen($pass)) + 1);
	return intval($key_dec ^ $pass_dec);
}
/**
 * Verifies a key.
 * @param	string	$key		The key to decode and verify.
 * @param	string	$pass		The password to decode the key with.
 * @param	int		$min_age	The minimum required age for the key.
 * @param	int		$max_age	The maximum allowed age for the key.
 * @return	bool				Whether the key is valid or not.
 */
function key_verify($key, $pass, $min_age, $max_age) {
	$age = time() - key_decode($key, $pass);
	return $age >= $min_age && $age <= $max_age;
}
Erm I really think I ought to commit this to git naow :P 2018-03-05 18:03:34 +00:00			`<?php`
			`/***********************************************`
			`* Comment Key Generation System`
			`***********************************************`
			`* By Starbeamrainbowlabs <feedback@starbeamrainbowlabs.com>`
			`*`
			`* A set of functions to protect low-value comment boxes, contact us`
			`* forms, etc. from spam.`
			`*`
			`* It works by recording the time the page the form is on was loaded,`
			`* and then checking to make sure that it was loaded for at least`
			`* 10 - 15 seconds, and not more than 24 hours.`
			`*`
			`* This is done by taking the current UNIX timestamp, running it through`
			`* a number of (arbitrary) reversible transformations, and then`
			`* embedding it in the form as a hidden field. When the form is`
			`* submitted, the transformations are reversed and the time the page`
			`* was loaded checked.`
			`*`
			`* Note that this is not suitable for high-value targets, as it can very`
			`* easily be bypassed and reverse-engineered by any determined human.`
			`*`
			`***********************************************`
			`* Changelog:`
			`* 30th January 2018:`
			`* Initial Release.`
			`*/`

			`/**`
			`* Generates a new comment key.`
			`* Note that the 'encryption' used is not secure - it's just simple XOR!`
			`* It's mainly to better support verification in complex setups and`
			`* serve as a nother annoying hurdle for spammers.`
			`* TODO: Swap out the XOR for openssl AES symmetric encryption`
			`* @param string $pass The password to transform it with. Should be a pre-selected random string.`
			`* @return string A new comment key stamped at the current time.`
			`*/`
			`function key_generate($pass) {`
			`$new_key = strval(time());`
			`// Repeat the key so that it's long enough to XOR the key with`
			`$pass_enc = str_repeat($pass, (strlen($new_key) / strlen($pass)) + 1);`
			`$new_key = $new_key ^ $pass_enc;`
			`return base64_encode(strrev($new_key));`
			`}`
			`/**`
			`* Decodes the given key.`
			`* @param string $key The key to decode.`
			`* @param string $pass The password to decode it with.`
			`* @return int The time that the key was generated.`
			`*/`
			`function key_decode($key, $pass) {`
			`$key_dec = strrev(base64_decode($key));`
			`// Repeat the key so that it's long enough to XOR the key with`
			`$pass_dec = str_repeat($pass, (strlen($key_dec) / strlen($pass)) + 1);`
			`return intval($key_dec ^ $pass_dec);`
			`}`
			`/**`
			`* Verifies a key.`
			`* @param string $key The key to decode and verify.`
			`* @param string $pass The password to decode the key with.`
			`* @param int $min_age The minimum required age for the key.`
			`* @param int $max_age The maximum allowed age for the key.`
			`* @return bool Whether the key is valid or not.`
			`*/`
			`function key_verify($key, $pass, $min_age, $max_age) {`
			`$age = time() - key_decode($key, $pass);`
			`return $age >= $min_age && $age <= $max_age;`
			`}`