[SOLVED] disguising variables in links?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
irealms
Forum Contributor
Posts: 215
Joined: Mon Apr 28, 2003 7:10 am
Location: Leeds

disguising variables in links?

Post by irealms »

I have set up some security checks to stpo variables being misused in links, but it there a way of disguising the link itself? or the variables within the link?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Although I personally haven't used for this purpose, I'd have a look at [php_man]serialize[/php_man]. Do note, however, that as a rule of thumb, do not exceed 256 characters for a URL. Rumour has it that some browsers can't cope with more (although I personally don't know which ones).
User avatar
irealms
Forum Contributor
Posts: 215
Joined: Mon Apr 28, 2003 7:10 am
Location: Leeds

Post by irealms »

thanks i'll look into it. :)

The checks i've added check a user variable, id variable and order number against the database and session variables so people can't change numbers to get a match, i mean maybe they could but they'd have to be damn lucky to get it, lol.
User avatar
irealms
Forum Contributor
Posts: 215
Joined: Mon Apr 28, 2003 7:10 am
Location: Leeds

Post by irealms »

made a small test file to see results:

Code: Select all

<?php
$test = 'test';
$serialized = serialize($test);
echo 'serialized: '.$serialized.'<br />';
$un = unserialize($serialized);
echo 'un: '.$un.'';
?>
and got this :


serialized: s:4:"test";
un: test

the variable test still shows up but inside " and " is this right?







?>
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

if you [php_man]urlencode[/php_man] that, you'll have the desired effect. There might be more elegant ways of doing that, but serialize & urlencode is the first thing that comes to mind.
User avatar
irealms
Forum Contributor
Posts: 215
Joined: Mon Apr 28, 2003 7:10 am
Location: Leeds

Post by irealms »

ok so i serialize a variable, then urlencode it, then i urldecode and then unserialize?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

yup
User avatar
irealms
Forum Contributor
Posts: 215
Joined: Mon Apr 28, 2003 7:10 am
Location: Leeds

Post by irealms »

seems to work i now get:

serialized: s:4:"test";
urlenc: s%3A4%3A%22test%22%3B
urldec s:4:"test";
un: test


:) cheers
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

np :)
User avatar
irealms
Forum Contributor
Posts: 215
Joined: Mon Apr 28, 2003 7:10 am
Location: Leeds

Post by irealms »

hmm i think with all this the variables might run over 250 chars, so will have to maybe only use the one and draw others within the file from that
User avatar
irealms
Forum Contributor
Posts: 215
Joined: Mon Apr 28, 2003 7:10 am
Location: Leeds

Post by irealms »

when i serialize this a variable and pass it over a link to get this:

orderno=s:5:"91783";

i then attempt to unserialize using:

unserialize($_GET['orderno']);

and get nothing for some reason.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

You need to use "urlencode" and "urldecode"...
http://www.php.net/manual/en/function.urlencode.php
Post Reply