saturation
asked on
How do I encrypt a query string?
I need to encrypt a querystring in an ASP page so that my user, for example, does not see what variables are being passed from page to page. I am unable, unfortunately, to use hidden fields to pass them, so I need to figure out another way. Either an encryption method would be nice, or another way to fake the URL by placing another URL in the querystring while the actual querystring is hidden from the user's view. Ideas?
ASKER
That's fine, but I'm using classic ASP and can't use .NET. Any other ideas?
Dont use a query string. Use a database and save the string into the database and only pass the database ID that has the string in it. Then when you get to the page that has the ID in the URL you just look up the data for that ID, or just use a form post.
Ahh right sorry.
Have a look at http://classicasp.aspfaq.com/general/can-i-perform-simple-encryption/decryption-in-asp.html
Have a look at http://classicasp.aspfaq.com/general/can-i-perform-simple-encryption/decryption-in-asp.html
ASKER
Using the database ID seems to be the simplest solution here, but perhaps I'm not getting something, because it still seems that if you pass the database ID in the querystring, you can still type in, for example, ?transactionid=4 or ?transactionid=6 and will still be able to pull up another person's transaction. Am I missing something here?
If you are running something with user transactions - eg e-commerce then the approach of using just querystrings to identify users is totally wrong I'm afriad. You really need to look at using Sessions.
Sessions will work good unless it is a URL that is used outside of the session (can be bookmarked, can be sent in emails, etc) then the database would be the way to go. For security purposes you can make sure to store the data in the database WITH a User ID to make sure only that user can access that data.
I have used the following ASP functions to encrypt/decrypt information:
Encrypt the query string then decrypt on the other side
Encrypt the query string then decrypt on the other side
<%@ Import Namespace="BED" %>
<%@ Import Namespace="BLL" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Text" %>
<%@ Import Namespace="System.IO" %>
<script language="VBScript" runat="server">
' secret key
Private key() As Byte = {13, 28, 94, 32, 7, 23, 12, 45, 32, 22, 5, 55, 29, 34, 54, 35, 1, 18, 33, 44, 61, 12, 65, 54}
' initialization vector
Private iv() As Byte = {65, 110, 68, 26, 69, 178, 200, 219}
Public Function Encrypt(ByVal plainText As String) As String
' Declare a UTF8Encoding object so we may use the GetByte
' method to transform the plainText into a Byte array.
Dim utf8encoder As UTF8Encoding = New UTF8Encoding
Dim inputInBytes() As Byte = utf8encoder.GetBytes(plainText)
Dim utf8String As String
Dim urlEncodedString As String
' Create a new TripleDES service provider
Dim tdesProvider As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider
' The ICryptTransform interface uses the TripleDES
' crypt provider along with encryption key and init vector
' information
Dim cryptoTransform As ICryptoTransform = tdesProvider.CreateEncryptor(Me.key, Me.iv)
' All cryptographic functions need a stream to output the
' encrypted information. Here we declare a memory stream
' for this purpose.
Dim encryptedStream As MemoryStream = New MemoryStream
Dim cryptStream As CryptoStream = New CryptoStream(encryptedStream, cryptoTransform, CryptoStreamMode.Write)
' Write the encrypted information to the stream. Flush the information
' when done to ensure everything is out of the buffer.
cryptStream.Write(inputInBytes, 0, inputInBytes.Length)
cryptStream.FlushFinalBlock()
encryptedStream.Position = 0
' Read the stream back into a Byte array and return it to the calling
' method.
Dim result(encryptedStream.Length - 1) As Byte
encryptedStream.Read(result, 0, encryptedStream.Length)
cryptStream.Close()
' UTF8 Encode Chars
utf8String = Convert.ToBase64String(result)
' URL Encode
urlEncodedString = Server.UrlEncode(utf8String)
Return urlEncodedString
End Function
Public Function Decrypt(ByVal encryptedString As String) As String
' UTFEncoding is used to transform the decrypted Byte Array
' information back into a string.
On Error Resume Next
Dim utf8encoder As UTF8Encoding = New UTF8Encoding
Dim tdesProvider As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider
Dim utf8String As String
Dim urlDecodedString As String
Dim utf8DecodedString As String
Dim outputCharArray() As Char
Dim outputBytes() As Byte
' URL Decode
urlDecodedString = Server.UrlDecode(encryptedString)
'Response.Write("OUT URL DECODED: " & urlDecodedString)
'Response.Write("<br/>")
' UTF8 Decode to Byte Array
outputBytes = Convert.FromBase64String(urlDecodedString)
If Err.number <> 0 Then
urlDecodedString = encryptedString
outputBytes = Convert.FromBase64String(urlDecodedString)
End If
Dim bbyte As Byte
'Response.Write("OUT BYTES: ")
'For Each bbyte In outputBytes
' Response.Write(bbyte.ToString() & " ")
'Next
'Response.Write("<br/>")
' As before we must provide the encryption/decryption key along with
' the init vector.
Dim cryptoTransform As ICryptoTransform = tdesProvider.CreateDecryptor(Me.key, Me.iv)
' Provide a memory stream to decrypt information into
Dim decryptedStream As MemoryStream = New MemoryStream
Dim cryptStream As CryptoStream = New CryptoStream(decryptedStream, cryptoTransform, CryptoStreamMode.Write)
cryptStream.Write(outputBytes, 0, outputBytes.Length)
cryptStream.FlushFinalBlock()
decryptedStream.Position = 0
' Read the memory stream and convert it back into a string
Dim result(decryptedStream.Length - 1) As Byte
decryptedStream.Read(result, 0, decryptedStream.Length)
cryptStream.Close()
Dim myutf As UTF8Encoding = New UTF8Encoding
Return myutf.GetString(result)
End Function
</script>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out:
http://www.codeproject.com/KB/security/SimpleEncryption.aspx