How to encrypt query string using asp?

Posted on 2008-11-11
Last Modified: 2012-05-05
I have a database thats stores case information and allows clients to view details based on the case number using an asp script. The problem is that in the address bar the full path is displayed making it possible to easily enter another case number and view details other than the one intended. (detail.asp?caseno=XXXX)

I have read several "guides" on how to encrypt and decrypt this info but I am still kind of lost on how to set it up and where to put the code, ect.

I would need to use asp to do this...

I would like to know where to start and the steps needed to make it work. :)
Question by:prointel9900
    LVL 32

    Accepted Solution

    Encrypting the case number is barely better than "security through obscurity".

    You need to check whether the user has the rights to view the requested case before pulling the data.

    Author Comment

    Thats what I am asking... they have to login first which will redirect them to the page containing their case information but the path that is displayed in the address bar is what I am trying to get rid of...

    Author Comment

    one more thing, I can possibly manage to post the variables to the page I need to prevent the information from displaying on the address bar but the main concern of mine is that the users are emailed a link to check the status of a given "case" and mainly would like to prevent the link from dispaying that information.
    LVL 8

    Assisted Solution

    You can encrypt an ID number and use that as a token, but it still won't prevent someone from brute-forcing their way into another case file.  For example, if you use MD5 to encrypt an ID, you'll get something like this: 0b89391af819e715bbc1005fb6d86e7e.  Certainly more complex then "1125",  but not really that much more secure when you consider a program can run through thousands of encrypted ID numbers.

    What you really want to do is tie your ID number to a client record.  Set up your case table like this:

    caseno int,
    casedate datetime,
    casedata varchar(250),
    morecasedata varchar(250),
    userID int

    When the user logs in you're presumably using either a session variable or a cookie to track their session -- then once they go to view the case number via the detail.asp page, you'll need to amend the SQL query that calls the record details like so:

    '     Grab the user's ID number
    varUserID = Session("userID")    ' Or Request.Cookies("userID")

    SELECT caseno, casedate, casedata, morecasedata
    WHERE userID = " & varUserID

    Now you know that -- assuming the user hasn't gained access to someone else's account -- they're only viewing their case records.

    Author Comment

    "For example, if you use MD5 to encrypt an ID, you'll get something like this: 0b89391af819e715bbc1005fb6d86e7e. "

    That is what I was trying to do... mainly for the link that is viewable. You mention using "MD5" and I have no idea what that is or how to accomplish this. That is what my question is.

    I have the pages so that they are only viewable with correct permissions. My main concern is not displaying the path with the link.

    Hopefully I am making some sort of sense here, I am not quite sure how to explain it... :)
    LVL 8

    Expert Comment

    Well, if you want to do it this way you can check out this:  That's an MD5 algorithm in VBScript.  Save the code to an ASP page, include it in your program, then encrypt your value like this:

    Dim varPlainText, varEncryptedText
    varPlainText = "12345" ' However you want to grab the ID field
    varEncryptedText = MD5(varPlainText)

    Once encrypted, you'll need to store the value in the database since the newly encrypted value is one-way only.
    LVL 7

    Assisted Solution

    The problem with this is another person can simply guess a number, run it through the MD5 function available from many sites online, and that way they can guess case numbers without any trouble.

    If you really want to go this route, I suggest salting your case number. This will prevent the kind of attack explained above. E.g. you will md5(case_number + random salt). Using this md5, you will go through the DB and md5 the case_id + salt to see which case matches and display that. I suggest reading up on salting passwords.

    As mentioned, the system should only allow specific people to view their cases. In this case, id= would work fine. If the case doesn't belong to that person, you can simply display an error message.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Training Course: Adobe Dreamweaver CC 2015

    Adobe Dreamweaver Creative Cloud is used by web designers and front-end developers and allows you to visualize your site in real-time as you code. This course covers exam objectives for the Adobe Certified Associate (ACA) certification.

    Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
    Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now