Topic awaiting preservation: encrypt the vars behind the url in addressbar (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12017" title="Pages that link to Topic awaiting preservation: encrypt the vars behind the url in addressbar (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: encrypt the vars behind the url in addressbar <span class="small">(Page 1 of 1)</span>\$

Bueromuenchen Bipolar (III) Inmate From: San Jose, CA Insane since: Nov 2000	posted 01-24-2002 18:36 hi there, this question might end up in a long thread... i'm doing a php site and using includes for the content. the links have two or three variables, telling my main script (index.php) and the includes what to do (e.g. ./index.php?page=home&subcat=security). it is obvious that users can enter new values for the vars, with the effect that an error message appears. that's ok for me, but i think it would be nice to encrypt those variables, so that visitors can not play around that easily. is there an "easy" way to achieve that. for example a routine in my header.inc include? i hope you understood what i mean, thy flo
Emperor Maniac (V) Mad Scientist with Finglongers From: Cell 53, East Wing Insane since: Jul 2001	posted 01-24-2002 19:10 Bueromuenchen: Do you really want to do that? I know as a user I much prefer seeing the URL and being able to edit it if I require. From your end you might want to do a few checks on ids being passed like !empty (to make sure it doesn't say some_id=) and is_numeric (to make sure it says some_id=3 not some_id=DELETE * ...) and the redirect people to an appropriate page so they aren't left staring at the page not found screen. Also create some custom error pages to pick up things that you've not allowed for in those tests. Hope that makes sense!! Emps With patience and saliva the ant swallows the elephant - Colombian proverb
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 01-24-2002 19:15 You can use the md5 function to achieve this. Use it with some sort of string value though or it's easily decrypted. :[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:
jiblet Paranoid (IV) Inmate From: Minneapolis, MN, USA Insane since: May 2000	posted 01-24-2002 21:30 If users are changing variables in the URL, they are not going to be put off by an error message. People can type in any URL they want, and if it doesn't make sense then they expect to get an error message. If you really want to say something meaningful, check the values in the beginning of the script and if they don't match your criteria print a meaningful message to the browser such as "You dirty rascal, you know you aren't supposed to mess with the URL, but you did anyway, so now you're screwed" or perhaps something less antagonistic in case it's caused by an error in your script Seriously though, just make sure you aren't introducing security holes by letting them set variables that could cause your script to do unforeseen things (e.g. any variable used in an include() statement must be validated, otherwise something like a simple file upload form anywhere on the site could give crackers access to whatever your Apache user has access to). -jiblet
butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 01-25-2002 00:19 Sorry for the empty post. I hit the reply button before completely reading through all the replies. Upon checking I realized that I said much the same thing as jiblit, only not as well! Sorry [This message has been edited by butcher (edited 01-25-2002).]
Bueromuenchen Bipolar (III) Inmate From: San Jose, CA Insane since: Nov 2000	posted 01-26-2002 21:58 thanks for the input! let's assume i would use the md5 function: i would have cryptic stuff behind my .php in the address bar. as i understand, i will then have to check this code against all (lets say 30) possible combinations of my vars. md5 might therefor not be the right thing??? confused thx flo aka "7e1e91156f7c4e1bd0831cf008ad5fdf"
Bueromuenchen Bipolar (III) Inmate From: San Jose, CA Insane since: Nov 2000	posted 01-29-2002 11:58 to slove my problem with the vars: would it make sense to put all the links inside a form with post to hide the vars? and how would i make that? what would one link look like then? thx
laggor Obsessive-Compulsive (I) Inmate From: ..san diego..ca..usa.. Insane since: Feb 2002	posted 02-03-2002 20:44 how would the link run off the form?

Topic awaiting preservation: encrypt the vars behind the url in addressbar (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=12017" title="Pages that link to Topic awaiting preservation: encrypt the vars behind the url in addressbar (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: encrypt the vars behind the url in addressbar <span class="small">(Page 1 of 1)</span>\$

Bueromuenchen
Bipolar (III) Inmate

From: San Jose, CA
Insane since: Nov 2000

posted 01-24-2002 18:36

hi there,
this question might end up in a long thread...

i'm doing a php site and using includes for the content.
the links have two or three variables, telling my main script (index.php) and the
includes what to do (e.g. ./index.php?page=home&subcat=security).
it is obvious that users can enter new values for the vars, with the effect
that an error message appears.

that's ok for me,
but i think it would be nice to encrypt those variables, so that visitors can not play around
that easily. is there an "easy" way to achieve that.
for example a routine in my header.inc include?

i hope you understood what i mean,

thy
flo

Emperor
Maniac (V) Mad Scientist with Finglongers

From: Cell 53, East Wing
Insane since: Jul 2001

posted 01-24-2002 19:10

Bueromuenchen: Do you really want to do that? I know as a user I much prefer seeing the URL and being able to edit it if I require. From your end you might want to do a few checks on ids being passed like !empty (to make sure it doesn't say some_id=) and is_numeric (to make sure it says some_id=3 not some_id=DELETE * ...) and the redirect people to an appropriate page so they aren't left staring at the page not found screen. Also create some custom error pages to pick up things that you've not allowed for in those tests.

Hope that makes sense!!

Emps

With patience and saliva the ant swallows the elephant - Colombian proverb

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 01-24-2002 19:15

You can use the md5 function to achieve this. Use it with some sort of string value though or it's easily decrypted.

:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

jiblet
Paranoid (IV) Inmate

From: Minneapolis, MN, USA
Insane since: May 2000

posted 01-24-2002 21:30

If users are changing variables in the URL, they are not going to be put off by an error message. People can type in any URL they want, and if it doesn't make sense then they expect to get an error message. If you really want to say something meaningful, check the values in the beginning of the script and if they don't match your criteria print a meaningful message to the browser such as "You dirty rascal, you know you aren't supposed to mess with the URL, but you did anyway, so now you're screwed" or perhaps something less antagonistic in case it's caused by an error in your script

Seriously though, just make sure you aren't introducing security holes by letting them set variables that could cause your script to do unforeseen things (e.g. any variable used in an include() statement must be validated, otherwise something like a simple file upload form anywhere on the site could give crackers access to whatever your Apache user has access to).

-jiblet

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 01-25-2002 00:19

Sorry for the empty post.

I hit the reply button before completely reading through all the replies. Upon checking I realized that I said much the same thing as jiblit, only not as well!

Sorry

[This message has been edited by butcher (edited 01-25-2002).]

Bueromuenchen
Bipolar (III) Inmate

From: San Jose, CA
Insane since: Nov 2000

posted 01-26-2002 21:58

thanks for the input!
let's assume i would use the md5 function:
i would have cryptic stuff behind my .php in the address bar.
as i understand, i will then have to check this code against all
(lets say 30) possible combinations of my vars.

md5 might therefor not be the right thing???

confused thx
flo
aka "7e1e91156f7c4e1bd0831cf008ad5fdf"

Bueromuenchen
Bipolar (III) Inmate

From: San Jose, CA
Insane since: Nov 2000

posted 01-29-2002 11:58

to slove my problem with the vars:
would it make sense to put all the links inside a form with post to hide the vars?
and how would i make that?
what would one link look like then?

thx

laggor
Obsessive-Compulsive (I) Inmate

From: ..san diego..ca..usa..
Insane since: Feb 2002

posted 02-03-2002 20:44

how would the link run off the form?