Solved

Encypt variable in web address

Posted on 2003-10-30
6
230 Views
Last Modified: 2008-02-26
I have a variable (siteid) which is passed from page to page in the address (eg www.d6online.co.uk?siteid=2753).
This variable is associated to a specific customer. If the user changed the value of the variable in the address bar they would have access to other customer's information. This just can't happen.

What I want to know is what is the best and easiest way of hiding this information from the user.

Hiding the address bar is no good as the properties will still tell them, also I would like the address bar to stay.

Is there a way of encrypting the data and still being able to use it in every page?

Thanks
0
Comment
Question by:wjdashwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Accepted Solution

by:
shmert earned 90 total points
ID: 9652380
the best way to hide data from the user is to put it in a session variable.  The user cannot change the session variables, and cannot read them, he only has access to the sessionID.

Example:
<?php
session_start();
$_SESSION['siteid'] = 2753;
?>
0
 
LVL 2

Assisted Solution

by:jetnet
jetnet earned 90 total points
ID: 9652692
You might want to look into PHP Sessions.  its a much more secure way of doing what your trying to do.  Plus, the users will not be able to make changes to the URL like what your talking about.

Plus, encrypting things like that are going to be intensive on your processor.  So its easier to just use sessions.  If your still wanting to look at it, look at http://us2.php.net/crypt.  That should help you out.
0
 
LVL 2

Assisted Solution

by:TaintedGod
TaintedGod earned 90 total points
ID: 9653309
I dont think you need to use sessions, sessions can still be forged just like address, so you can encrpt the address variable with the md5() hash, which will make tampering impossible because there are too many wrong possibilities.

So what you do is add this to your code :   $_SESSION['siteid'] = md5($_SESSION['siteid']);
or to make it eaier to use : $siteid = md5($_SESSION['siteid']);

Now guessing will be impossible and your clients information is safe, also you can do the md5 hash more than once to make it more secure.
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 6

Assisted Solution

by:DoppyNL
DoppyNL earned 90 total points
ID: 9655838
forging a sessions is IMPOSSIBLE, since those are stored on the server.

A reference to that session is passed along between the user and the server, that is the only risc you have.
If you disable passing the sessionid via the url and force your users to use cookies, then you are safe! Simply, because if some hacker got access to that cookie, he would've also got access to any other solution you might come up with!

in short: sessions are safe enough.
You might want to think of using passwords though (or are you allready?)
0
 

Author Comment

by:wjdashwood
ID: 9656578
Yes I am using passwords. I use the username and password they login with to get the siteid from the database. I'll look into sessions, thank you all for helping me out.
0
 
LVL 3

Assisted Solution

by:ashoooo
ashoooo earned 40 total points
ID: 9659941
Sessions are the best bet.

I usually store the username in the session variable.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question