Page 1 of 1

Do you encode all your variables that you pass?

Posted: Thu Sep 09, 2004 6:55 pm
by bradles
When passing variables to the new page, do you always encode them? I have not yet learned how to do this but was just wondering what sort of security hazards there are if you don't encode them.

Brad

Posted: Thu Sep 09, 2004 7:00 pm
by feyd
what kind of encoding? encryption? ... or ... url encoding?

Posted: Fri Sep 10, 2004 1:03 am
by bradles
Hi Feyd,

Not sure even if i'm barking up the right tree here but i saw a www address that had this after the last "/"

preview.mgi?mgiToken=BC2GMIC77F137BM3AJ&a=A00000-488&lg=0&c=0008&g=1&d=2453258&p=1

I just assumed that the token was encoded as it looked like gibberish. Sorry if i'm off track here.

Brad.

Posted: Fri Sep 10, 2004 1:15 am
by feyd
yes, that's an encoding of sorts... you can create your own versions of this, or use existing ones.. even play around with existing ones to make them your own.. although it looks like 'token' is there session id system...

Posted: Fri Sep 10, 2004 1:20 am
by bradles
Awesome...thanks feyd.

Is this sort of thing done most of the time...or do most people not worry about encoding variables?

Brad.

Posted: Fri Sep 10, 2004 1:40 am
by feyd
depends on how secure you care for that data to be.. the more secure you want it, the more encryption/protection you'll want/need on it. however, the more secure you go, the farther away from url parameters you get.

Posted: Fri Sep 10, 2004 4:41 am
by m3mn0n
If data was that sensitive, I wouldn't recommend passing it via GET. It should be sent via POST on a 128bit SSL enabled server.