javascriptphpjqueryposthmacsha256

The value of hash_hmac sha256 has different value using different post procedures


I made two ways of requesting a POST. Method 1 is submitting the form to the server. Method 2 is using Jquery $.post.

<!--METHOD 1-->
<form method="POST" action="postmanTest.php" id="#myform">

  <input type="hidden" id ="bodyv" name="bodyv" value="aaab">

  <input type="hidden" id ="time" name="time">
  <input type="submit" value="Submit Now" id="btn2" name="submit" onclick="stringify()">
   
</form>

<button id = "btn3">Set TIme</button>


<script>

  //---METHOD 2---
  $("#btn2").click(function(){

    stringify();
    
    $bodyv=$("#bodyv").val();


    
    $.post("postmanTest.php",
      {bodyv:$bodyv},
      function(data,status){
        alert(data);
      }
    )

  })

  //---SET TIME---
  $("#btn3").click(function(){

    document.getElementsByName('time')[0].value = new Date().getTime();

  })
  
</script>

The stringify function

<script type="text/javascript">


function stringify(){



  let time = document.getElementsByName('time')[0].value;

  let body = {
      "data": {
        // "scheduleAt": "2022-04-01T14:30:00.00Z", // optional
          "serviceType": "MOTORCYCLE",
          //"specialRequests": ["TOLL_FEE_10"], // optional
          "specialRequests": ["CASH_ON_DELIVERY"], // optional
          "language": "en_PH",
          "stops": [
            {
                "coordinates": {
                      "lat": "0",
                      "lng": "0"
                  },
                  "address": "Innocentre, 72 Tat Chee Ave, Kowloon Tong"
            },
            {
                "coordinates": {
                      "lat": "0",
                      "lng": "0"
                  },
                  "address": "Canton Rd, Tsim Sha Tsui"
            }
          ],
          "isRouteOptimized": false, // optional only for quotations
          "item":{
                "quantity":"12",
                "weight":"LESS_THAN_3_KG",
                "categories":[
                  "FOOD_DELIVERY",
                  "OFFICE_ITEM"
                ],
                "handlingInstructions":[
                  "KEEP_UPRIGHT"
                ]
        },
      }
  };

  body = JSON.stringify(body);

  document.getElementsByName('bodyv')[0].value = `${time.toString()}\r\nPOST\r\n/v3/quotations\r\n\r\n${body}`;


  
}

The server side PHP code accepts the variables and applies hash_hmac sha256 to the bodyv variable

 <?php


 $bodyVar = $_POST['bodyv'];



 $secret = "mysecretkey";

 $sig = hash_hmac('sha256', $bodyVar, $secret);


 echo $sig;

Method 1 and method 2 produce different values for $sig = hash_hmac('sha256', $bodyVar, $secret). Why is this happening? Method 1 is the correct hash value.


Solution

  • After researching, I saw you are using \r\n to set $bodyv data. And when you get that data with $bodyv = $("#bodyv").val() the \r is stripped. That´s because val() strips carriage return chars as explained here. You could change to $bodyv = $("#bodyv")[0].value;` and it will work as expected

    Edited to match the correct answer