hiding variables in URL

While I typically use post vars on forms, I need to expose a var in a URL. I was wondering is it possible to set up the server so it does not show this - looking for a secure solution

So I want to go from


to this

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

silly question: does your thePage.php work as expected without the id variable
lvmllcAuthor Commented:
No.  I must at least get an ID var. Typically this is provided in a POST but because the project is not a linear set of form pages I also have code that will use a GET if the POST is null.  When this happens, the ID is displayed in the URL and this is what I want to hide.
There's two or three ways to circumvent showing that.

One is POST as you mention.
another is to set that id in a COOKIE and then read that in the $_COOKIE array
the third is to set variables in a $_SESSION using session_start(); and then $_SESSION.

The difference between a COOKIE and SESSION is merely that in a COOKIE all of the variable values are stored on their computer. In a SESSION, only a single variable to identify the session is stored on their computer and everything is else is stored in a SESSION  on the server.

In other words, you cannot obfuscate it when using GET ... but you can altogether avoid using GET.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Ray PaseurCommented:
Have a look at the design pattern around the $h variable here:

If your script does not update the data model, you should use a GET method request with an "exposed variable" in the URL.  Nothing is so frustrating as spending a lot of time going through complicated forms to look up an important piece of information, only to find that you cannot bookmark it.  Are you listening Fairfax county government?

If you want to avoid data harvesting with web scrapers, you can use keys that are not readily predictable.

You may also find that your programming can use $_REQUEST, thus allowing for POST method requests to be overridden by GET method requests.  If you do this, you will have a known security exposure, and you will want to give especially careful attention to the mantra, "Accept Only Known Good Values."
greetings lvmllc, ,  I see that you think that exposing the ID and it's value in a web addy is not good for your needs. You have the example as-  http://isomewhere.org/thePage.php?id=132   and you want all of the "GET" sets to not be shown in a web addy of -  

I have never seen and do not think it is possible to have "GET" data segments sent, without having it in the web address.  
You also say - "the ID is displayed in the URL and this is what I want to hide."

You might consider the age old method of hiding something "In Plain Sight", What I would probably do is use a web addy like -

'page' is a very common PHP framework GET element used in many, and would not be ordinarily associated with an ID. The ID number (or String) would be converted to HEX, and then that hex string would be reversed or mixed to "Hide" the true hex value, which is easily un-hidden in php code that uses the __GET('page') element.

But there may be other factors you do not mention, I will assume that you have already thought about using session storage.
Ted BouskillSenior Software DeveloperCommented:
Guys, most Google API's uses header fields to pass values that are not shown in URL

This is a common and completely acceptable practice.  Yes having values in the URL is easier to read (and manipulate) however they can also make URL's completely unwieldy and if they do not need to be saved as bookmarks it's better to put values as header fields.

Unfortunately many believe the only way to pass information is in the body of the request or in the URL.  The cookie is actually just a specialized header field value honoured by the browser.

Most importantly, HTTPS will encrypt header fields along with the body of the message.

I believe the function header() in PHP will allow you to control them.
as the obvious have already been written and explained: anything in a GET request can not be hidden!
we can focus on the the goal to archive:  what should be hidden, why, and what threats are expected?

Your quest to hide the data on GET request is a good one.  Exposing database ID's open you up to script based hacking and possible exposure of your database layout.  When faced with similar situations in the past, I've written a function that encrypts the GET paramete(s) into a single string that is unencrypted in the receiving script.  ie:




The decrypted string contains the parameter name ('id') and the value (132) and works for multiple parameters.

The encryption uses the date string, or the hour as its encryption key assuring the parameter only works for a limited amount of time.  It's not NSA level security, but grants some measure of protection.


Ted BouskillSenior Software DeveloperCommented:
@ahoffman: I disagree with your assessment of hiding data in the GET request.  Variables encrypted using any encryption like AES 128 or 256 can be hidden in the HTTP header fields.  That is what many web API's do and we do at my employer.  Session and authentication fields are often hidden in GET requests using this technique.
@ tedbilly , , I can see the workability of your ID data in the headers, I use Header data alot in AJAX GET and POST, for sending and getting "version" or "dated" data sets. But you can set and get the headers in a AJAX javascript call. . . . . You say - "hidden in the HTTP header fields", , so I was wondering what method you might use for setting the headers (any header, not just an encrypted one), if you create your page with  PHP and Have a URL link like -
<a href="http://isomewhere.org/thePage.php)" >The Page'</a>
maybe? =
<a href="http://isomewhere.org/thePage.php)" setHeader="ETag=ad3fc0bb" >The Page'</a>

Can you add send Header info with a Link having the <a href=    tag? ?
Although lvmllc says - "expose a var in a URL",  I just assumed from lack of other information they were referring a    <a   link tag.
I only refered to the request line, any header is "hidden" for browser users (but can be made visible very easyly:), don't know if that is sufficient for this question ...
you cannot add headers with plain HTML (a tag)
you need to do it with XHR's setRequestHeader()
lvmllcAuthor Commented:
This is all good info.  A little more background. One of the sites I need to use this on is a 20 page survey/project. After the initial values have been entered, a user can return to the main page where the see a table of contents that allows them to go back to any one of their pages. I can work around the get issue using a cookie or session var, but as the admin, I want to be able to go to a single page of a user  - thus the ID added to the URL as a param.

Maybe this is just to insecure and I need to build a data portal that is protected by a password that once in I can type the page and user ID and it takes me to that page.
@ lvmllc , , in your last post you want to have "over All" administration rights of access, For me I always (no exceptions) use some sort of "Double Protect" sign in for any "over All" administration rights of access, be cause you can get info (or set info) that may be for more than one user (maybe for data base select that can list all of the users info in Rows output).  So I would urge you to do what you say - "I need to build a data portal that is protected by a password" to have "over All" administration rights of access, you might even consider having a rotating Access Code along with a "Long" password as to have more protection for for such an important security leaks access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Oh, you may or may not have the use of SSL, but if you do I might help to secure your admin log in with it.
is it acceptable for you if the users find and change the "hidden" id?
if so, you need some kind of encryption and/or authentication
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.