How do I encrypt a query string?

saturation
saturation used Ask the Experts™
on
I need to encrypt a querystring in an ASP page so that my user, for example, does not see what variables are being passed from page to page.  I am unable, unfortunately, to use hidden fields to pass them, so I need to figure out another way.  Either an encryption method would be nice, or another way to fake the URL by placing another URL in the querystring while the actual querystring is hidden from the user's view.   Ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Encryption is all built into .net within System.Security.Cryptography

Check out:

http://www.codeproject.com/KB/security/SimpleEncryption.aspx

Author

Commented:
That's fine, but I'm using classic ASP and can't use .NET.  Any other ideas?

Commented:
Dont use a query string.  Use a database and save the string into the database and only pass the database ID that has the string in it.  Then when you get to the page that has the ID in the URL you just look up the data for that ID, or just use a form post.

Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Author

Commented:
Using the database ID seems to be the simplest solution here, but perhaps I'm not getting something, because it still seems that if you pass the database ID in the querystring, you can still type in, for example, ?transactionid=4 or ?transactionid=6 and will still be able to pull up another person's transaction.  Am I missing something here?
If you are running something with user transactions - eg e-commerce then the approach of using just querystrings to identify users is totally wrong I'm afriad.  You really need to look at using Sessions.

Commented:
Sessions will work good unless it is a URL that is used outside of the session (can be bookmarked, can be sent in emails, etc) then the database would be the way to go.  For security purposes you can make sure to store the data in the database WITH a User ID to make sure only that user can access that data.

Leo EikelmanDirector, IT and Business Development

Commented:
I have used the following ASP functions to encrypt/decrypt information:

Encrypt the query string then decrypt on the other side

<%@ Import Namespace="BED" %>
<%@ Import Namespace="BLL" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Text" %>
<%@ Import Namespace="System.IO" %>
 
<script language="VBScript" runat="server">
 
 ' secret key
   Private key() As Byte = {13, 28, 94, 32, 7, 23, 12, 45, 32, 22, 5, 55, 29, 34, 54, 35, 1, 18, 33, 44, 61, 12, 65, 54}
   
' initialization vector 
   Private iv() As Byte = {65, 110, 68, 26, 69, 178, 200, 219}
 
Public Function Encrypt(ByVal plainText As String) As String
        ' Declare a UTF8Encoding object so we may use the GetByte 
        ' method to transform the plainText into a Byte array. 
        Dim utf8encoder As UTF8Encoding = New UTF8Encoding
        Dim inputInBytes() As Byte = utf8encoder.GetBytes(plainText)
        Dim utf8String As String
        Dim urlEncodedString As String
 
        ' Create a new TripleDES service provider 
        Dim tdesProvider As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider
 
        ' The ICryptTransform interface uses the TripleDES 
        ' crypt provider along with encryption key and init vector 
        ' information 
        Dim cryptoTransform As ICryptoTransform = tdesProvider.CreateEncryptor(Me.key, Me.iv)
 
        ' All cryptographic functions need a stream to output the 
        ' encrypted information. Here we declare a memory stream 
        ' for this purpose. 
        Dim encryptedStream As MemoryStream = New MemoryStream
        Dim cryptStream As CryptoStream = New CryptoStream(encryptedStream, cryptoTransform, CryptoStreamMode.Write)
 
        ' Write the encrypted information to the stream. Flush the information 
        ' when done to ensure everything is out of the buffer. 
        cryptStream.Write(inputInBytes, 0, inputInBytes.Length)
        cryptStream.FlushFinalBlock()
        encryptedStream.Position = 0
 
        ' Read the stream back into a Byte array and return it to the calling 
        ' method. 
        Dim result(encryptedStream.Length - 1) As Byte
        encryptedStream.Read(result, 0, encryptedStream.Length)
        cryptStream.Close()      
 
        ' UTF8 Encode Chars
        utf8String = Convert.ToBase64String(result)
        
        ' URL Encode
        urlEncodedString = Server.UrlEncode(utf8String)
 
        Return urlEncodedString
 
    End Function
 
 
Public Function Decrypt(ByVal encryptedString As String) As String
        ' UTFEncoding is used to transform the decrypted Byte Array 
        ' information back into a string. 
        On Error Resume Next
 
        Dim utf8encoder As UTF8Encoding = New UTF8Encoding
        Dim tdesProvider As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider
        Dim utf8String As String
        Dim urlDecodedString As String
        Dim utf8DecodedString As String
        Dim outputCharArray() As Char
        Dim outputBytes() As Byte
 
        ' URL Decode
        urlDecodedString = Server.UrlDecode(encryptedString)
        
                    
        'Response.Write("OUT URL DECODED: " & urlDecodedString)
        'Response.Write("<br/>")
 
        ' UTF8 Decode to Byte Array
        outputBytes = Convert.FromBase64String(urlDecodedString)
        
        If Err.number <> 0 Then
        		urlDecodedString = encryptedString
        		outputBytes = Convert.FromBase64String(urlDecodedString)
        End If
 
        Dim bbyte As Byte
        'Response.Write("OUT BYTES: ")
        'For Each bbyte In outputBytes
        '    Response.Write(bbyte.ToString() & " ")
        'Next
        'Response.Write("<br/>")
 
        ' As before we must provide the encryption/decryption key along with 
        ' the init vector. 
        Dim cryptoTransform As ICryptoTransform = tdesProvider.CreateDecryptor(Me.key, Me.iv)
 
        ' Provide a memory stream to decrypt information into 
        Dim decryptedStream As MemoryStream = New MemoryStream
        Dim cryptStream As CryptoStream = New CryptoStream(decryptedStream, cryptoTransform, CryptoStreamMode.Write)
        cryptStream.Write(outputBytes, 0, outputBytes.Length)
        cryptStream.FlushFinalBlock()
        decryptedStream.Position = 0
 
        ' Read the memory stream and convert it back into a string 
        Dim result(decryptedStream.Length - 1) As Byte
        decryptedStream.Read(result, 0, decryptedStream.Length)
        cryptStream.Close()
        Dim myutf As UTF8Encoding = New UTF8Encoding
        Return myutf.GetString(result)
    End Function
 
</script>

Open in new window

Commented:
Create into your db a field Key associated with the value you want to protect. Generate a random key with what you want. I provide a sample function in classic ASP to generate a key. Make sure that your key is unique in the db and send the key by email or bookmark like :

http://SomeSite.com/Somepage.asp?Id=hjilsd82hnsSds

The key will refer to all value associated. It's the same principe than session ID
Function GetNewKey()
	Dim intLenKey,intTypeOfChar
	Dim intCmpt,strTempKey
	
	Randomize
	intLenKey = Int((20 - 10 + 1) * Rnd + 10)
	For intCmpt = 1 to intLenKey		
		intTypeOfChar = Int(3 * Rnd + 1)
		Select Case intTypeOfChar 
		Case 1			
			strTempKey = strTempKey & Chr(Int((90 - 65 + 1) * Rnd + 65))
		Case 2			
			strTempKey = strTempKey & Chr(Int((57 - 48 + 1) * Rnd + 48))
		Case 3			
			strTempKey = strTempKey & Chr(Int((122 - 97 + 1) * Rnd + 97))
		End Select
	Next
 
	GetNewKey = strTempKey 
End Function

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial