I recently had to transpose a PHP script over to Ruby for inclusion in an app I’m building, and in doing so I discovered a “fun” quirk.
The script is used to retrieve tracking information. Part of the authentication routine is the generation of a SHA1 hash consisting of vendor_id + vendor_key + customer_order_number which is passed in with the request.
Pretty typical, right?
Well, in this case, part of the vendor key looked something like this: “kK[))6U>$W&}Y{Sm” (PHP people, see any issues with this string?)
$key = "kK[))6U>$W&}Y{Sm"; echo $key; "kK[))6U>&}Y{Sm"
The answer is that PHP interprets $ as the beginning of a variable name, so in this string the $W is actually treated as a variable. Because $W isn’t defined anywhere, it is simply omitted, so that part of the key is rendered as “kK[))6U>&}Y{Sm” without the $W.
This wasn’t caught by the service because they are also using PHP and when they create the SHA1 hash on their end for verification, the $W is also omitted and everything matches up.
Fast forward to me sending the request via Ruby, which treats $W just like regular characters, so my hash doesn’t match and the request fails.
It took me a few to sort out what was going on, eventually I just put print/echo statements line by line in both scripts to see what was going on and that’s when I noticed the PHP rendered key was a few characters short!
Also, I’m sure this is purely coincidental, but I bet that there are other vendor keys that have hidden PHP variables in them. As long as they stick to using PHP, it’ll work…
TL;DR: If you are going to generate keys, stick to alphanumerics please! Ain’t nobody got time to figure out if your fancy key contains hidden variable syntax in the myriad of popular languages.