Albana_12 Posted April 22, 2012 Share Posted April 22, 2012 Hi everyone, first of all let me thank you for this wonderful forum I come back here always when i need help... i'm trying to learn so soon i hope, i'll be helping others... I have a question for now, i have a code which goes like this: <? $b = time (); $date1 =date( "Y-m-d;h:i:s" , mktime(date("h")+6, date("i"), date("s"), date("m") , date("d"), date("Y"))); $str_time = "&receivedtimestamp="; $str_msg = "&msg=bkt"; $str_from = "from="; ?> <a href="http://testext.i-movo.com/api/receivesms.aspx?<?echo $str_from;?><?=$getuser[0]['phone'];?><?echo $str_time;?><?echo $date1;?><?echo $str_msg;?>">Get a Cupon</a> What i need is that when the URL is generated, one of those variables to be hidden, for example the $str_from to be in the link but not visible... I must tell you that the link on the Get Cupon goes to an external link so i don't know if i can do it with .httpaccess as i've heard... Quote Link to comment Share on other sites More sharing options...
nafetski Posted April 23, 2012 Share Posted April 23, 2012 Well, you can't really...it's the foundation of how the web works. You can't *hide* parts of your URL and still expect it to work when it hits the server...everything that is sent is out in the open (when it comes to URL's). Some common ways people get around this is by #1 - Sending a hash (md5, sha1, something). This is a one way "encryption" so you have to also store the hash as a relation somewhere in your database (so you can do a lookup) #2 - base64encode. Converts the string into base64, then you use base64decode when it hits the server. This doesn't mean the user can't run base64decode themselves (they can), so its' not secure. It's just a way to make things a bit more difficult. #3 - Pass a user ID, or some other data that wouldn't make sense to the general public. (but there is a relation in your DB) Quote Link to comment Share on other sites More sharing options...
xyph Posted April 23, 2012 Share Posted April 23, 2012 Encryption, even when "quoted" is a bad term for one-way hashing. Encryption is never one way. It always assume one can later decrypt. Everything else you've said holds true though. You'd have to describe what you're doing if you want advice. We've established that you can't solve your problem with the solution you want, so elaborate on your problem so we can help you with an ideal solution. Quote Link to comment Share on other sites More sharing options...
nafetski Posted April 23, 2012 Share Posted April 23, 2012 Totally agree, it just seems to be the term that beginners use to describe what they want when hashing..hence the quotes. Quote Link to comment Share on other sites More sharing options...
chrisguk Posted April 23, 2012 Share Posted April 23, 2012 If I am reading this right? First you are referring to .aspx, this is a PHP forum. To mask URLs you can use a URL redirect rule in .htaccess but in your case it does not fall into that category because you seem to be passing a URL string to complete either a form/registration submission, therefore the request would not be complete. In PHP the "GET" method is usually associated with strings in the URL but "POST" is favoured as the variable(values) are hidden in the server side. Im not an aspx guru so im not sure if you can achieve the same but im guessing you can? Quote Link to comment Share on other sites More sharing options...
nafetski Posted April 23, 2012 Share Posted April 23, 2012 Well, the fact that his link points to an asp page isn't a horrible issue...as far as the .asp script is concerned a GET variable is a GET variable (tho it's a bit strange that he's going from PHP => ASP, it's not unheard of) POST is in no way more secure than GET...you can see the POST data in an http request clear as day, the only difference is it doesn't show up in the address bar. Quote Link to comment Share on other sites More sharing options...
Albana_12 Posted April 25, 2012 Author Share Posted April 25, 2012 Hello everyone, Thank you for your time and thanks for the replies... Let me tell you what's this all about. I will create a system which works like this. A user registers, enters his data and his phone number. Then the user by buying things will get some points. At a moment, when the user has gathered enough points he can get a cupon. The "Get a cupon" link is generated which holds even the user's phone number...as i have posted above... when the user clicks on "get a cupon" is redirected to the service which makes possible to send a user a sms message and to tell him what he earned. This URL of the submission for the cupon is generated by puting the phone number, but once the user knows the URL he can easily put another phone number and also win a cupon. I need for the URL not to be clear to the user. Quote Link to comment Share on other sites More sharing options...
Jessica Posted April 25, 2012 Share Posted April 25, 2012 You know it's coupon right? Quote Link to comment Share on other sites More sharing options...
Albana_12 Posted April 25, 2012 Author Share Posted April 25, 2012 Yes sorry... my english is not perfect since it's not my native language... Quote Link to comment Share on other sites More sharing options...
Jessica Posted April 25, 2012 Share Posted April 25, 2012 I'm a little confused where the problem is. If he submits a phone number other than his own, won't the sms go to that phone number, not his? Either way, before sending the coupon, check if the user with that phone number/id/etc has enough points in the DB. Rather than trying to obscure the data, you must check and double check what is supplied to you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.