Topic awaiting preservation: encrypt the vars behind the url in addressbar

hi there,
this question might end up in a long thread...

i'm doing a php site and using includes for the content.
the links have two or three variables, telling my main script (index.php) and the
includes what to do (e.g. ./index.php?page=home&subcat=security).
it is obvious that users can enter new values for the vars, with the effect
that an error message appears.

that's ok for me,
but i think it would be nice to encrypt those variables, so that visitors can not play around
that easily. is there an "easy" way to achieve that.
for example a routine in my header.inc include?

i hope you understood what i mean,

thy
flo

Bueromuenchen: Do you really want to do that? I know as a user I much prefer seeing the URL and being able to edit it if I require. From your end you might want to do a few checks on ids being passed like !empty (to make sure it doesn't say some_id=) and is_numeric (to make sure it says some_id=3 not some_id=DELETE * ...) and the redirect people to an appropriate page so they aren't left staring at the page not found screen. Also create some custom error pages to pick up things that you've not allowed for in those tests.

Hope that makes sense!!

Emps


With patience and saliva the ant swallows the elephant - Colombian proverb

You can use the md5 function to achieve this. Use it with some sort of string value though or it's easily decrypted.



:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

If users are changing variables in the URL, they are not going to be put off by an error message. People can type in any URL they want, and if it doesn't make sense then they expect to get an error message. If you really want to say something meaningful, check the values in the beginning of the script and if they don't match your criteria print a meaningful message to the browser such as "You dirty rascal, you know you aren't supposed to mess with the URL, but you did anyway, so now you're screwed" or perhaps something less antagonistic in case it's caused by an error in your script

Seriously though, just make sure you aren't introducing security holes by letting them set variables that could cause your script to do unforeseen things (e.g. any variable used in an include() statement must be validated, otherwise something like a simple file upload form anywhere on the site could give crackers access to whatever your Apache user has access to).

-jiblet

Sorry for the empty post.

I hit the reply button before completely reading through all the replies. Upon checking I realized that I said much the same thing as jiblit, only not as well!

Sorry

[This message has been edited by butcher (edited 01-25-2002).]

thanks for the input!
let's assume i would use the md5 function:
i would have cryptic stuff behind my .php in the address bar.
as i understand, i will then have to check this code against all
(lets say 30) possible combinations of my vars.

md5 might therefor not be the right thing???

confused thx
flo
aka "7e1e91156f7c4e1bd0831cf008ad5fdf"

to slove my problem with the vars:
would it make sense to put all the links inside a form with post to hide the vars?
and how would i make that?
what would one link look like then?

thx

how would the link run off the form?