liamloveslearning Posted June 4, 2008 Share Posted June 4, 2008 im not sure if this is possible; but can you "encode(?)" url data, my url shows my msg id "/mail_viewmsg.php?msg_id=26" and im just curious can I hide that, for example it would show as a random key "/mail_viewmsg.php?msg_id=f78sk0" Im aware you can keep data within the page rather than have them pass through the url btw. Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/ Share on other sites More sharing options...
discomatt Posted June 4, 2008 Share Posted June 4, 2008 You can either use the mcrypt library if you want it to be very difficult to reverse the data (keep in mind you'll reach the maximum query size VERY quickly with this) or use a combination of base64_encode/base64_decode to put a little temporary mask on it. Sorry, now that i reread it, you want the key to be unique per request, and not unique per id So if someone viewed "/mail_viewmsg.php?msg_id=26" twice, the id would change per request and not be "/mail_viewmsg.php?msg_id=f78sk0" on both requests Am I on the right page here? Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/#findComment-557719 Share on other sites More sharing options...
liamloveslearning Posted June 4, 2008 Author Share Posted June 4, 2008 yeah just upon every request, im just thinking if another user was viewing there messaga, but changed the id at the top, theoretically he can see somebody else's message too cant he? Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/#findComment-557735 Share on other sites More sharing options...
liamloveslearning Posted June 4, 2008 Author Share Posted June 4, 2008 infact as a security measure, if i was to add a member_id to the msg_id then the user needs to match both id's in my row to access others messages wont he? Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/#findComment-557754 Share on other sites More sharing options...
kbh43dz_u Posted June 4, 2008 Share Posted June 4, 2008 this would make it harder but not impossible (just try - no security by obscurity) ... better you check if the user is allowed to view the message: your users probably have to login. than you have their user id's or names saved in a session. check if the user i allowed to view it - but by an id transported by the URL (take something a user cant manipulate). Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/#findComment-557758 Share on other sites More sharing options...
discomatt Posted June 4, 2008 Share Posted June 4, 2008 In this case you should have a user login system that uses sessions to pass user information from page to page. You can then check if said user has permission to access said msg_id, and all is safe. Security through obscurity is a bad way of protecting your data. To add additional security (assuming you don't force sessions to use cookies), generate a new session id for said user on each page request, and use custom session handler functions to remove all instances of the old session id. This isn't the most efficient way of doing things, so you'll have to find a balance between the two. Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/#findComment-557762 Share on other sites More sharing options...
liamloveslearning Posted June 4, 2008 Author Share Posted June 4, 2008 yeah, well ive restricted access to the page, but thats only so non members cant access the data. so i need something along the lines of "if session id and reciever id match, show data?" sorry im getting confused thinking about the code so i might not be making any sense, but i think i understand it lol Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/#findComment-557771 Share on other sites More sharing options...
discomatt Posted June 4, 2008 Share Posted June 4, 2008 No, that's exactly what you want to do Link to comment https://forums.phpfreaks.com/topic/108748-encode-url-data/#findComment-557772 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.