Encrypt the Query string

[andrew_ww]

Hello,

I need to encrypt the query string, is this possible, if so how easy would it be for a newbie to achieve it?

Thanks,

Andy.

[Jessica]

This is a vague question.

You want it decryptable? Why are you trying to do this anyway?

[andrew_ww]

Just so people cannot alter the string to bypass the system.  Say I have this:

[code]http://localhost/test%20site/child.php?recordID=1[/code]

There is nothing stopping people from typing:

[code]http://localhost/test%20site/child.php?recordID=23[/code]

and seeing something they are not suppose to see.

[Jessica]

Okay, that isn't really anything to do with encryption.

You could use session variables instead of url & GET, and also VALIDATE it.

If they're not allowed to have access to 23, when they try to do that, print an error. You have to check for that stuff.

[andrew_ww]

I'm not sure I understand.

Session variable relate to when a user is logged in - correct ?

I essentially have a master - detail page setup, surely a session variable can only determine if a user can either access page 'child.php' or not.

I cannot see how it could stop 'user1' from typing in a different URL once he's already been logged in and granted a session ?

[Jessica]

Okay ignore that.

When you $_GET the id, before you display stuff, check if the user has access to that record. What makes you say User X doesn't have access to record 21? That's what you use to validate it.

[andrew_ww]

Okay - thank you.

In this case the site will be used only be a handful of people, so if you can login successfully anything on the site is fair game.  The site will restrict people who are not on a list of pre-approved IP addresses

I guess my paranoia gland was over working.  If it was a simple thing to do I would have implemented it.

Cheers,

Andy.