Solved

Encrypting Sharepoint URL parameters

Posted on 2010-08-17
7
1,734 Views
Last Modified: 2012-05-10
I need a solution for encrypting  the url parameters of a sharepoint URL e.g. "http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title Text Here&Description=Description Text Here". I need any parameter after the ? to be encrypted.
(Just for reference, i'm using SPFF (Sharepoint Form Field Asistant: http://spff.codeplex.com/) to pass the parameters to the NewForm Fields.

I found this when googling for a solution but don't know how to implement it or even if it can be implemented into sharepoint: http://devcity.net/PrintArticle.aspx?ArticleID=47
It's almost exactly what i'm after.

Is there anyone who knows how to do this?
I have access to Sharepoint Designer.

Any help will be much appreciated.

Thanks
0
Comment
Question by:ydsonline
  • 4
  • 2
7 Comments
 
LVL 6

Assisted Solution

by:vikas413
vikas413 earned 200 total points
ID: 33452394
you have good approach to do this, but fundamentally SPFF is created on JQuery which is is on client side, and the other part your encryption-decryption code should be on server side which is on server side.

when form is loaded in browser SPFF updates the fields by filling values by taking it from query string, and didn't do anything on server side. so if you pass encrypted string you need to have some way (update SPFF) to decrypt it from client, which in turn becomes request to server(with updated spff) to decrypt it.

but I think this is not good approach .. as anyone can call same function by checking it from your JS..

so I think if you wanna go with encrypted query string you need to write your own new/edit form for your libraries.

hope I have clear my point.

regards,
Vikas Patel.


0
 
LVL 5

Author Comment

by:ydsonline
ID: 33452411
Thanks for your explanation vikas. I actually don't mind if the encryption only occurs on the client side. The site is mainly for internal use and only needs to fool the normal user to not be able to edit the parameters. We are talking about standard users in an office environment so i'm not too worried if it doesn't get encrypted on the server side. But good point and clarification, thanks.
Are you still able to help with getting the encryption to work on the client side?
 
0
 
LVL 6

Assisted Solution

by:vikas413
vikas413 earned 200 total points
ID: 33452587
http://www.fourmilab.ch/javascrypt/javascrypt.html
http://javascript.about.com/od/problemsolving/a/encrypt.htm
http://pajhome.org.uk/crypt/md5/

here are some examples of js encryption/decryption. merge it with SPFF while getting values from querystring and you are ready to roll.. ;)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Author Comment

by:ydsonline
ID: 33462205
Thanks Vikas, but i'm not sure how to implement encrypting the url from those pages that you mentioned. I can see that you can use it to encrypt a url but can't figure out how to implement it into my current page so it automatically encrypts the url.

I have found an alternative method in the mean time which seems to work well for my purposes. It's not encryption unfortunately, but uses a frameset instead to hide the original page url. Then I used a script to disable the right click on the page so you can't use the properties of the page to see the url and then use another script to delete the history of the page url so it won't show up in the browser history.

I still would rather use encryption since the alternative method is more work for me.

If you can explain or give me an example of how to merge those encryption techniques with SPFF, that would be much appreciated.
 

Below I've include an example of what I did as an alternative just for the sake of this question:

New page with original url in framset:
<HTML>
<HEAD>
<TITLE>This is test </TITLE>
</HEAD>
<FRAMESET cols="*">
<FRAMESET rows="*">
<FRAME src="http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title">
</FRAMESET>
</HTML>  
 
Script to Disable history:
<script language="javascript" >
javascript: window.history.forward(1);
</script>  
 
Script to disable right click on page:
<SCRIPT TYPE="text/javascript">
<!--
//Disable right click script
//visit http://www.rainbow.arch.scriptmania.com/scripts/
var message="Sorry, right-click has been disabled";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
// -->
</SCRIPT>
0
 
LVL 2

Accepted Solution

by:
furball4 earned 300 total points
ID: 33494411
Can you be a bit more precise about your goals? Encryption is a means, not an end. Saying that you want to encrypt the parameters is assuming a goal - but we need to understand the goal ourselves in order to be of the most help. What is it exactly that you want to allow/disallow?

From what you have written I think the answer is that you wish to make tampering impossible. If that is your only purpose (and not, for example, to also make the parameters incomprehensible) then you could roll together a solution that required no encryption. Such a solution would either store the parameters server-side or verify them whenever they were re-presented to the server. Really it is the same solution but with different implementations.  The former would even make them incomprehensible to the user, if that was a nice plus for you.

So to be clear, I am suggesting that when your app is going to put a link into a webpage (like http://www.myapp.com/index.html?secret_var=1&vulnerable_var=2) you instead throw the string "secret_var=1&vulnerable_var=2" into a database alongside a large, high-entropy, temporary key. Then you use this link in the app: http://www.myapp.com/index.html?key=e289asihfh2024fwhfalsd8f42. When that request comes in, you use the re-presented key to recover the actual parameters from the database and read them into your app yourself. I suspect that whatever development language you are using will already have something like this available as a library or code snippet. Most web apps already do dozens of database queries per page - one more pull on a primary key isn't going to slow things down.
0
 
LVL 5

Author Comment

by:ydsonline
ID: 33497744
Thanks for you suggestions furball, i'll reply shortly...
0
 
LVL 5

Author Closing Comment

by:ydsonline
ID: 33517121
Thanks guys, some of your thoughts have led me to a solution that does not require encryption and seems to work well for my purposes. My Goal was as furball put it, to make tampering impossible. I have however found those encryption links handy as well and used them as part of my solution in a different way. so thanks.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now