Jump to content


Photo

Secure Querystrings?


  • Please log in to reply
5 replies to this topic

#1 mschrank

mschrank
  • Members
  • PipPip
  • Member
  • 12 posts

Posted 28 June 2006 - 05:25 PM

Let's say you have a querystring like this:

page.php?user=fred

Now you don't fred to be able to log on and put in say, page.php?user=joe and load joe's information. So is it possible to have a kind of secure Querystring where the whole querystring is encrypted and fred isn't able to tweak around with the values to hack into other people's information?

As you can see, I did some web searching and apparently ASP.net can do this.

[a href=\"http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik\" target=\"_blank\"]http://www.dotnetjunkies.com/HowTo/9920148...E75836DC72.dcik[/a]

I would be quite suprised if the same doesn't exist for PHP.

If not, what is a good way to pass variables to web pages in a secure manner?

Thanks!

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 28 June 2006 - 05:47 PM

I'd use sessions. That is the best secure method as the user is oblivious of any data being passed from page to page. It keeps the url tidy too.

#3 mschrank

mschrank
  • Members
  • PipPip
  • Member
  • 12 posts

Posted 28 June 2006 - 06:47 PM

But you can't set a session variable when a user clicks on a link. Can you?

#4 Buyocat

Buyocat
  • Members
  • PipPipPip
  • Advanced Member
  • 267 posts

Posted 28 June 2006 - 06:51 PM

I agree with Wildteen, use sessions or cookies to pass on the user's id or something to the script. In the event that you cannot for any reason use such an approach, I would suggest using something like MD5 and the following...
$_username = $_GET['username'];
SELECT * FROM $user_table WHERE username = '$_username'

Now you may go so far as to add a second column to the table such as username_crypt that when the user registers stores the MD5 hash of their username. That way you can have both a hash username and normal one. Recognize that you can't undo the hash (to my knowledge) so you'll be comparing the hash in the URL to one in the database that was generated prior using the username string. Check out
[a href=\"http://us2.php.net/manual/en/function.md5.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.md5.php[/a]
to read more on the matter, but it would be something like this...
$_hash = md5($string);


EDIT
What exactly are you trying to do? Because a list of links that each has a username at the end seems like a poor way to implement a user profile system. Sessions would be better because at the beginning of a script you can check the session for the user id then work from there. So instead of a url with a passed param like ?username=joe, you would just have the script file, profile.php.
Looking for some easy-to-use tools?  Try these, https://sourceforge....jects/utils-php -- I made them myself.  They're distinct tools which are easy to understand and use.  See some examples uses at http://www.anotherearlymorning.com

#5 mschrank

mschrank
  • Members
  • PipPip
  • Member
  • 12 posts

Posted 28 June 2006 - 07:05 PM

Basically it's a family web application, where the main identifier is the family_id, which the user never sees or changes. That is contained in the session object.

However, within the family there are numerous children and parents/guardians. On the "edit parent details" screen, you have a list of registered parents and the user can click on a parent from a dynamically generated list from the DB and then go to another page that allows him to change the information for that particular parent.

so that's why I need the querystring variable, because it's the only way to send data dynamically- session variables and other things like that require you to know what you need to send before hand, not after the generation of a list from a database.

#6 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 28 June 2006 - 07:30 PM

here's an idea: make a radio button next to each one and a submit button. then when you click the submit button, send it on its way via post method. or hell, if you want to make your code even fancier, depending on your needs, you can make checkboxes instead, to select multiple names. i dunno what your needs are though, so that may or may not be a necessary extra step.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users