Jump to content

Recommended Posts

Hi everyone,

 

first of all let me thank you for this wonderful forum :)

 

I come back here always when i need help... i'm trying to learn so soon i hope, i'll be helping others...

 

I have a question for now, i have a code which goes like this:

 

    <?
     $b = time (); 
$date1 =date( "Y-m-d;h:i:s" , mktime(date("h")+6, date("i"), date("s"), date("m") , date("d"), date("Y"))); 
$str_time = "&receivedtimestamp="; 
$str_msg = "&msg=bkt"; 
$str_from = "from="; 

?>
    <a href="http://testext.i-movo.com/api/receivesms.aspx?<?echo $str_from;?><?=$getuser[0]['phone'];?><?echo $str_time;?><?echo $date1;?><?echo $str_msg;?>">Get a Cupon</a>

 

What i need is that when the URL is generated, one of those variables to be hidden, for example the $str_from to be in the link but not visible... I must tell you that the link on the Get Cupon goes to an external link so i don't know if i can do it with .httpaccess as i've heard...

Link to comment
https://forums.phpfreaks.com/topic/261430-hide-variable-in-php-generated-url-link/
Share on other sites

Well, you can't really...it's the foundation of how the web works.  You can't *hide* parts of your URL and still expect it to work when it hits the server...everything that is sent is out in the open (when it comes to URL's).

 

Some common ways people get around this is by

 

#1 - Sending a hash (md5, sha1, something).  This is a one way "encryption" so you have to also store the hash as a relation somewhere in your database (so you can do a lookup)

#2 - base64encode.  Converts the string into base64, then you use base64decode when it hits the server.  This doesn't mean the user can't run base64decode themselves (they can), so its' not secure.  It's just a way to make things a bit more difficult.

#3 - Pass a user ID, or some other data that wouldn't make sense to the general public. (but there is a relation in your DB)

Encryption, even when "quoted" is a bad term for one-way hashing. Encryption is never one way. It always assume one can later decrypt.

 

Everything else you've said holds true though.

 

You'd have to describe what you're doing if you want advice. We've established that you can't solve your problem with the solution you want, so elaborate on your problem so we can help you with an ideal solution.

If I am reading this right?

 

First you are referring to .aspx, this is a PHP forum.

 

To mask URLs you can use a URL redirect rule in .htaccess but in your case it does not fall into that category because you seem to be passing a URL string to complete either a form/registration submission, therefore the request would not be complete.

 

In PHP the "GET" method is usually associated with strings in the URL but "POST" is favoured as the variable(values) are hidden in the server side. 

 

Im not an aspx guru so im not sure if you can achieve the same but im guessing you can?

Well, the fact that his link points to an asp page isn't a horrible issue...as far as the .asp script is concerned a GET variable is a GET variable (tho it's a bit strange that he's going from PHP => ASP, it's not unheard of)

 

POST is in no way more secure than GET...you can see the POST data in an http request clear as day, the only difference is it doesn't show up in the address bar.

Hello everyone,

 

Thank you for your time and thanks for the replies...

 

Let me tell you what's this all about.

 

I will create a system which works like this.

 

A user registers, enters his data and his phone number. Then the user by buying things will get some points. At a moment, when the user has gathered enough points he can get a cupon. The "Get a cupon" link is generated which holds even the user's phone number...as i have posted above... when the user clicks on "get a cupon" is redirected to the service which makes possible to send a user a sms message and to tell him what he earned. This URL of the submission for the cupon is generated by puting the phone number, but once the user knows the URL he can easily put another phone number and also win a cupon. I need for the URL not to be clear to the user.

I'm a little confused where the problem is. If he submits a phone number other than his own, won't the sms go to that phone number, not his?

Either way, before sending the coupon, check if the user with that phone number/id/etc has enough points in the DB.

Rather than trying to obscure the data, you must check and double check what is supplied to you.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.