Solved

Encypt variable in web address

Posted on 2003-10-30
6
231 Views
Last Modified: 2008-02-26
I have a variable (siteid) which is passed from page to page in the address (eg www.d6online.co.uk?siteid=2753).
This variable is associated to a specific customer. If the user changed the value of the variable in the address bar they would have access to other customer's information. This just can't happen.

What I want to know is what is the best and easiest way of hiding this information from the user.

Hiding the address bar is no good as the properties will still tell them, also I would like the address bar to stay.

Is there a way of encrypting the data and still being able to use it in every page?

Thanks
0
Comment
Question by:wjdashwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Accepted Solution

by:
shmert earned 90 total points
ID: 9652380
the best way to hide data from the user is to put it in a session variable.  The user cannot change the session variables, and cannot read them, he only has access to the sessionID.

Example:
<?php
session_start();
$_SESSION['siteid'] = 2753;
?>
0
 
LVL 2

Assisted Solution

by:jetnet
jetnet earned 90 total points
ID: 9652692
You might want to look into PHP Sessions.  its a much more secure way of doing what your trying to do.  Plus, the users will not be able to make changes to the URL like what your talking about.

Plus, encrypting things like that are going to be intensive on your processor.  So its easier to just use sessions.  If your still wanting to look at it, look at http://us2.php.net/crypt.  That should help you out.
0
 
LVL 2

Assisted Solution

by:TaintedGod
TaintedGod earned 90 total points
ID: 9653309
I dont think you need to use sessions, sessions can still be forged just like address, so you can encrpt the address variable with the md5() hash, which will make tampering impossible because there are too many wrong possibilities.

So what you do is add this to your code :   $_SESSION['siteid'] = md5($_SESSION['siteid']);
or to make it eaier to use : $siteid = md5($_SESSION['siteid']);

Now guessing will be impossible and your clients information is safe, also you can do the md5 hash more than once to make it more secure.
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 6

Assisted Solution

by:DoppyNL
DoppyNL earned 90 total points
ID: 9655838
forging a sessions is IMPOSSIBLE, since those are stored on the server.

A reference to that session is passed along between the user and the server, that is the only risc you have.
If you disable passing the sessionid via the url and force your users to use cookies, then you are safe! Simply, because if some hacker got access to that cookie, he would've also got access to any other solution you might come up with!

in short: sessions are safe enough.
You might want to think of using passwords though (or are you allready?)
0
 

Author Comment

by:wjdashwood
ID: 9656578
Yes I am using passwords. I use the username and password they login with to get the siteid from the database. I'll look into sessions, thank you all for helping me out.
0
 
LVL 3

Assisted Solution

by:ashoooo
ashoooo earned 40 total points
ID: 9659941
Sessions are the best bet.

I usually store the username in the session variable.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question