Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Encypt variable in web address

Posted on 2003-10-30
6
Medium Priority
?
233 Views
Last Modified: 2008-02-26
I have a variable (siteid) which is passed from page to page in the address (eg www.d6online.co.uk?siteid=2753).
This variable is associated to a specific customer. If the user changed the value of the variable in the address bar they would have access to other customer's information. This just can't happen.

What I want to know is what is the best and easiest way of hiding this information from the user.

Hiding the address bar is no good as the properties will still tell them, also I would like the address bar to stay.

Is there a way of encrypting the data and still being able to use it in every page?

Thanks
0
Comment
Question by:wjdashwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Accepted Solution

by:
shmert earned 360 total points
ID: 9652380
the best way to hide data from the user is to put it in a session variable.  The user cannot change the session variables, and cannot read them, he only has access to the sessionID.

Example:
<?php
session_start();
$_SESSION['siteid'] = 2753;
?>
0
 
LVL 2

Assisted Solution

by:jetnet
jetnet earned 360 total points
ID: 9652692
You might want to look into PHP Sessions.  its a much more secure way of doing what your trying to do.  Plus, the users will not be able to make changes to the URL like what your talking about.

Plus, encrypting things like that are going to be intensive on your processor.  So its easier to just use sessions.  If your still wanting to look at it, look at http://us2.php.net/crypt.  That should help you out.
0
 
LVL 2

Assisted Solution

by:TaintedGod
TaintedGod earned 360 total points
ID: 9653309
I dont think you need to use sessions, sessions can still be forged just like address, so you can encrpt the address variable with the md5() hash, which will make tampering impossible because there are too many wrong possibilities.

So what you do is add this to your code :   $_SESSION['siteid'] = md5($_SESSION['siteid']);
or to make it eaier to use : $siteid = md5($_SESSION['siteid']);

Now guessing will be impossible and your clients information is safe, also you can do the md5 hash more than once to make it more secure.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Assisted Solution

by:DoppyNL
DoppyNL earned 360 total points
ID: 9655838
forging a sessions is IMPOSSIBLE, since those are stored on the server.

A reference to that session is passed along between the user and the server, that is the only risc you have.
If you disable passing the sessionid via the url and force your users to use cookies, then you are safe! Simply, because if some hacker got access to that cookie, he would've also got access to any other solution you might come up with!

in short: sessions are safe enough.
You might want to think of using passwords though (or are you allready?)
0
 

Author Comment

by:wjdashwood
ID: 9656578
Yes I am using passwords. I use the username and password they login with to get the siteid from the database. I'll look into sessions, thank you all for helping me out.
0
 
LVL 3

Assisted Solution

by:ashoooo
ashoooo earned 160 total points
ID: 9659941
Sessions are the best bet.

I usually store the username in the session variable.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question