Secure Querystrings?

[mschrank]

Let's say you have a querystring like this:

page.php?user=fred

Now you don't fred to be able to log on and put in say, page.php?user=joe and load joe's information. So is it possible to have a kind of secure Querystring where the whole querystring is encrypted and fred isn't able to tweak around with the values to hack into other people's information?

As you can see, I did some web searching and apparently ASP.net can do this.

[a href=\"http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik\" target=\"_blank\"]http://www.dotnetjunkies.com/HowTo/9920148...E75836DC72.dcik[/a]

I would be quite suprised if the same doesn't exist for PHP.

If not, what is a good way to pass variables to web pages in a secure manner?

Thanks!

[wildteen88]

I'd use sessions. That is the best secure method as the user is oblivious of any data being passed from page to page. It keeps the url tidy too.

[mschrank]

But you can't set a session variable when a user clicks on a link. Can you?

[Buyocat]

I agree with Wildteen, use sessions or cookies to pass on the user's id or something to the script. In the event that you cannot for any reason use such an approach, I would suggest using something like MD5 and the following...
$_username = $_GET['username'];
SELECT * FROM $user_table WHERE username = '$_username'

Now you may go so far as to add a second column to the table such as username_crypt that when the user registers stores the MD5 hash of their username. That way you can have both a hash username and normal one. Recognize that you can't undo the hash (to my knowledge) so you'll be comparing the hash in the URL to one in the database that was generated prior using the username string. Check out
[a href=\"http://us2.php.net/manual/en/function.md5.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.md5.php[/a]
to read more on the matter, but it would be something like this...
$_hash = md5($string);


EDIT
What exactly are you trying to do? Because a list of links that each has a username at the end seems like a poor way to implement a user profile system. Sessions would be better because at the beginning of a script you can check the session for the user id then work from there. So instead of a url with a passed param like ?username=joe, you would just have the script file, profile.php.

[mschrank]

Basically it's a family web application, where the main identifier is the family_id, which the user never sees or changes. That is contained in the session object.

However, within the family there are numerous children and parents/guardians. On the "edit parent details" screen, you have a list of registered parents and the user can click on a parent from a dynamically generated list from the DB and then go to another page that allows him to change the information for that particular parent.

so that's why I need the querystring variable, because it's the only way to send data dynamically- session variables and other things like that require you to know what you need to send before hand, not after the generation of a list from a database.

[.josh]

here's an idea: make a radio button next to each one and a submit button. then when you click the submit button, send it on its way via post method. or hell, if you want to make your code even fancier, depending on your needs, you can make checkboxes instead, to select multiple names. i dunno what your needs are though, so that may or may not be a necessary extra step.