Solved

Encypt variable in web address

Posted on 2003-10-30
6
228 Views
Last Modified: 2008-02-26
I have a variable (siteid) which is passed from page to page in the address (eg www.d6online.co.uk?siteid=2753).
This variable is associated to a specific customer. If the user changed the value of the variable in the address bar they would have access to other customer's information. This just can't happen.

What I want to know is what is the best and easiest way of hiding this information from the user.

Hiding the address bar is no good as the properties will still tell them, also I would like the address bar to stay.

Is there a way of encrypting the data and still being able to use it in every page?

Thanks
0
Comment
Question by:wjdashwood
6 Comments
 
LVL 11

Accepted Solution

by:
shmert earned 90 total points
ID: 9652380
the best way to hide data from the user is to put it in a session variable.  The user cannot change the session variables, and cannot read them, he only has access to the sessionID.

Example:
<?php
session_start();
$_SESSION['siteid'] = 2753;
?>
0
 
LVL 2

Assisted Solution

by:jetnet
jetnet earned 90 total points
ID: 9652692
You might want to look into PHP Sessions.  its a much more secure way of doing what your trying to do.  Plus, the users will not be able to make changes to the URL like what your talking about.

Plus, encrypting things like that are going to be intensive on your processor.  So its easier to just use sessions.  If your still wanting to look at it, look at http://us2.php.net/crypt.  That should help you out.
0
 
LVL 2

Assisted Solution

by:TaintedGod
TaintedGod earned 90 total points
ID: 9653309
I dont think you need to use sessions, sessions can still be forged just like address, so you can encrpt the address variable with the md5() hash, which will make tampering impossible because there are too many wrong possibilities.

So what you do is add this to your code :   $_SESSION['siteid'] = md5($_SESSION['siteid']);
or to make it eaier to use : $siteid = md5($_SESSION['siteid']);

Now guessing will be impossible and your clients information is safe, also you can do the md5 hash more than once to make it more secure.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 6

Assisted Solution

by:DoppyNL
DoppyNL earned 90 total points
ID: 9655838
forging a sessions is IMPOSSIBLE, since those are stored on the server.

A reference to that session is passed along between the user and the server, that is the only risc you have.
If you disable passing the sessionid via the url and force your users to use cookies, then you are safe! Simply, because if some hacker got access to that cookie, he would've also got access to any other solution you might come up with!

in short: sessions are safe enough.
You might want to think of using passwords though (or are you allready?)
0
 

Author Comment

by:wjdashwood
ID: 9656578
Yes I am using passwords. I use the username and password they login with to get the siteid from the database. I'll look into sessions, thank you all for helping me out.
0
 
LVL 3

Assisted Solution

by:ashoooo
ashoooo earned 40 total points
ID: 9659941
Sessions are the best bet.

I usually store the username in the session variable.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question