Encrypting Sharepoint URL parameters

Posted on 2010-08-17
Medium Priority
Last Modified: 2012-05-10
I need a solution for encrypting  the url parameters of a sharepoint URL e.g. "http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title Text Here&Description=Description Text Here". I need any parameter after the ? to be encrypted.
(Just for reference, i'm using SPFF (Sharepoint Form Field Asistant: http://spff.codeplex.com/) to pass the parameters to the NewForm Fields.

I found this when googling for a solution but don't know how to implement it or even if it can be implemented into sharepoint: http://devcity.net/PrintArticle.aspx?ArticleID=47
It's almost exactly what i'm after.

Is there anyone who knows how to do this?
I have access to Sharepoint Designer.

Any help will be much appreciated.

Question by:ydsonline
  • 4
  • 2

Assisted Solution

vikas413 earned 800 total points
ID: 33452394
you have good approach to do this, but fundamentally SPFF is created on JQuery which is is on client side, and the other part your encryption-decryption code should be on server side which is on server side.

when form is loaded in browser SPFF updates the fields by filling values by taking it from query string, and didn't do anything on server side. so if you pass encrypted string you need to have some way (update SPFF) to decrypt it from client, which in turn becomes request to server(with updated spff) to decrypt it.

but I think this is not good approach .. as anyone can call same function by checking it from your JS..

so I think if you wanna go with encrypted query string you need to write your own new/edit form for your libraries.

hope I have clear my point.

Vikas Patel.


Author Comment

ID: 33452411
Thanks for your explanation vikas. I actually don't mind if the encryption only occurs on the client side. The site is mainly for internal use and only needs to fool the normal user to not be able to edit the parameters. We are talking about standard users in an office environment so i'm not too worried if it doesn't get encrypted on the server side. But good point and clarification, thanks.
Are you still able to help with getting the encryption to work on the client side?

Assisted Solution

vikas413 earned 800 total points
ID: 33452587

here are some examples of js encryption/decryption. merge it with SPFF while getting values from querystring and you are ready to roll.. ;)
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 33462205
Thanks Vikas, but i'm not sure how to implement encrypting the url from those pages that you mentioned. I can see that you can use it to encrypt a url but can't figure out how to implement it into my current page so it automatically encrypts the url.

I have found an alternative method in the mean time which seems to work well for my purposes. It's not encryption unfortunately, but uses a frameset instead to hide the original page url. Then I used a script to disable the right click on the page so you can't use the properties of the page to see the url and then use another script to delete the history of the page url so it won't show up in the browser history.

I still would rather use encryption since the alternative method is more work for me.

If you can explain or give me an example of how to merge those encryption techniques with SPFF, that would be much appreciated.

Below I've include an example of what I did as an alternative just for the sake of this question:

New page with original url in framset:
<TITLE>This is test </TITLE>
<FRAMESET cols="*">
<FRAMESET rows="*">
<FRAME src="http://sharepointsite.com/Lists/ListName/NewForm.aspx?Title=Title">
Script to Disable history:
<script language="javascript" >
javascript: window.history.forward(1);
Script to disable right click on page:
<SCRIPT TYPE="text/javascript">
//Disable right click script
//visit http://www.rainbow.arch.scriptmania.com/scripts/ 
var message="Sorry, right-click has been disabled";
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
document.oncontextmenu=new Function("return false")
// -->

Accepted Solution

furball4 earned 1200 total points
ID: 33494411
Can you be a bit more precise about your goals? Encryption is a means, not an end. Saying that you want to encrypt the parameters is assuming a goal - but we need to understand the goal ourselves in order to be of the most help. What is it exactly that you want to allow/disallow?

From what you have written I think the answer is that you wish to make tampering impossible. If that is your only purpose (and not, for example, to also make the parameters incomprehensible) then you could roll together a solution that required no encryption. Such a solution would either store the parameters server-side or verify them whenever they were re-presented to the server. Really it is the same solution but with different implementations.  The former would even make them incomprehensible to the user, if that was a nice plus for you.

So to be clear, I am suggesting that when your app is going to put a link into a webpage (like http://www.myapp.com/index.html?secret_var=1&vulnerable_var=2) you instead throw the string "secret_var=1&vulnerable_var=2" into a database alongside a large, high-entropy, temporary key. Then you use this link in the app: http://www.myapp.com/index.html?key=e289asihfh2024fwhfalsd8f42. When that request comes in, you use the re-presented key to recover the actual parameters from the database and read them into your app yourself. I suspect that whatever development language you are using will already have something like this available as a library or code snippet. Most web apps already do dozens of database queries per page - one more pull on a primary key isn't going to slow things down.

Author Comment

ID: 33497744
Thanks for you suggestions furball, i'll reply shortly...

Author Closing Comment

ID: 33517121
Thanks guys, some of your thoughts have led me to a solution that does not require encryption and seems to work well for my purposes. My Goal was as furball put it, to make tampering impossible. I have however found those encryption links handy as well and used them as part of my solution in a different way. so thanks.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month8 days, 5 hours left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question