Encrypting Sharepoint URL parameters

I need a solution for encrypting  the url parameters of a sharepoint URL e.g. "http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title Text Here&Description=Description Text Here". I need any parameter after the ? to be encrypted.
(Just for reference, i'm using SPFF (Sharepoint Form Field Asistant: http://spff.codeplex.com/) to pass the parameters to the NewForm Fields.

I found this when googling for a solution but don't know how to implement it or even if it can be implemented into sharepoint: http://devcity.net/PrintArticle.aspx?ArticleID=47
It's almost exactly what i'm after.

Is there anyone who knows how to do this?
I have access to Sharepoint Designer.

Any help will be much appreciated.

Thanks
LVL 5
ydsonlineAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

vikas413Commented:
you have good approach to do this, but fundamentally SPFF is created on JQuery which is is on client side, and the other part your encryption-decryption code should be on server side which is on server side.

when form is loaded in browser SPFF updates the fields by filling values by taking it from query string, and didn't do anything on server side. so if you pass encrypted string you need to have some way (update SPFF) to decrypt it from client, which in turn becomes request to server(with updated spff) to decrypt it.

but I think this is not good approach .. as anyone can call same function by checking it from your JS..

so I think if you wanna go with encrypted query string you need to write your own new/edit form for your libraries.

hope I have clear my point.

regards,
Vikas Patel.


0
ydsonlineAuthor Commented:
Thanks for your explanation vikas. I actually don't mind if the encryption only occurs on the client side. The site is mainly for internal use and only needs to fool the normal user to not be able to edit the parameters. We are talking about standard users in an office environment so i'm not too worried if it doesn't get encrypted on the server side. But good point and clarification, thanks.
Are you still able to help with getting the encryption to work on the client side?
 
0
vikas413Commented:
http://www.fourmilab.ch/javascrypt/javascrypt.html
http://javascript.about.com/od/problemsolving/a/encrypt.htm
http://pajhome.org.uk/crypt/md5/

here are some examples of js encryption/decryption. merge it with SPFF while getting values from querystring and you are ready to roll.. ;)
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

ydsonlineAuthor Commented:
Thanks Vikas, but i'm not sure how to implement encrypting the url from those pages that you mentioned. I can see that you can use it to encrypt a url but can't figure out how to implement it into my current page so it automatically encrypts the url.

I have found an alternative method in the mean time which seems to work well for my purposes. It's not encryption unfortunately, but uses a frameset instead to hide the original page url. Then I used a script to disable the right click on the page so you can't use the properties of the page to see the url and then use another script to delete the history of the page url so it won't show up in the browser history.

I still would rather use encryption since the alternative method is more work for me.

If you can explain or give me an example of how to merge those encryption techniques with SPFF, that would be much appreciated.
 

Below I've include an example of what I did as an alternative just for the sake of this question:

New page with original url in framset:
<HTML>
<HEAD>
<TITLE>This is test </TITLE>
</HEAD>
<FRAMESET cols="*">
<FRAMESET rows="*">
<FRAME src="http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title">
</FRAMESET>
</HTML>  
 
Script to Disable history:
<script language="javascript" >
javascript: window.history.forward(1);
</script>  
 
Script to disable right click on page:
<SCRIPT TYPE="text/javascript">
<!--
//Disable right click script
//visit http://www.rainbow.arch.scriptmania.com/scripts/ 
var message="Sorry, right-click has been disabled";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
// -->
</SCRIPT>
0
furball4Commented:
Can you be a bit more precise about your goals? Encryption is a means, not an end. Saying that you want to encrypt the parameters is assuming a goal - but we need to understand the goal ourselves in order to be of the most help. What is it exactly that you want to allow/disallow?

From what you have written I think the answer is that you wish to make tampering impossible. If that is your only purpose (and not, for example, to also make the parameters incomprehensible) then you could roll together a solution that required no encryption. Such a solution would either store the parameters server-side or verify them whenever they were re-presented to the server. Really it is the same solution but with different implementations.  The former would even make them incomprehensible to the user, if that was a nice plus for you.

So to be clear, I am suggesting that when your app is going to put a link into a webpage (like http://www.myapp.com/index.html?secret_var=1&vulnerable_var=2) you instead throw the string "secret_var=1&vulnerable_var=2" into a database alongside a large, high-entropy, temporary key. Then you use this link in the app: http://www.myapp.com/index.html?key=e289asihfh2024fwhfalsd8f42. When that request comes in, you use the re-presented key to recover the actual parameters from the database and read them into your app yourself. I suspect that whatever development language you are using will already have something like this available as a library or code snippet. Most web apps already do dozens of database queries per page - one more pull on a primary key isn't going to slow things down.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ydsonlineAuthor Commented:
Thanks for you suggestions furball, i'll reply shortly...
0
ydsonlineAuthor Commented:
Thanks guys, some of your thoughts have led me to a solution that does not require encryption and seems to work well for my purposes. My Goal was as furball put it, to make tampering impossible. I have however found those encryption links handy as well and used them as part of my solution in a different way. so thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.