Page 1 of 1
disguising variables in links?
Posted: Wed Oct 27, 2004 3:37 am
by irealms
I have set up some security checks to stpo variables being misused in links, but it there a way of disguising the link itself? or the variables within the link?
Posted: Wed Oct 27, 2004 3:48 am
by patrikG
Although I personally haven't used for this purpose, I'd have a look at [php_man]serialize[/php_man]. Do note, however, that as a rule of thumb, do not exceed 256 characters for a URL. Rumour has it that some browsers can't cope with more (although I personally don't know which ones).
Posted: Wed Oct 27, 2004 3:54 am
by irealms
thanks i'll look into it.
The checks i've added check a user variable, id variable and order number against the database and session variables so people can't change numbers to get a match, i mean maybe they could but they'd have to be damn lucky to get it, lol.
Posted: Wed Oct 27, 2004 4:11 am
by irealms
made a small test file to see results:
Code: Select all
<?php
$test = 'test';
$serialized = serialize($test);
echo 'serialized: '.$serialized.'<br />';
$un = unserialize($serialized);
echo 'un: '.$un.'';
?>
and got this :
serialized: s:4:"test";
un: test
the variable test still shows up but inside " and " is this right?
?>
Posted: Wed Oct 27, 2004 4:16 am
by patrikG
if you [php_man]urlencode[/php_man] that, you'll have the desired effect. There might be more elegant ways of doing that, but serialize & urlencode is the first thing that comes to mind.
Posted: Wed Oct 27, 2004 4:26 am
by irealms
ok so i serialize a variable, then urlencode it, then i urldecode and then unserialize?
Posted: Wed Oct 27, 2004 4:29 am
by patrikG
yup
Posted: Wed Oct 27, 2004 4:30 am
by irealms
seems to work i now get:
serialized: s:4:"test";
urlenc: s%3A4%3A%22test%22%3B
urldec s:4:"test";
un: test

cheers
Posted: Wed Oct 27, 2004 4:32 am
by patrikG
np

Posted: Wed Oct 27, 2004 5:03 am
by irealms
hmm i think with all this the variables might run over 250 chars, so will have to maybe only use the one and draw others within the file from that
Posted: Wed Oct 27, 2004 5:28 am
by irealms
when i serialize this a variable and pass it over a link to get this:
orderno=s:5:"91783";
i then attempt to unserialize using:
unserialize($_GET['orderno']);
and get nothing for some reason.
Posted: Wed Oct 27, 2004 6:17 am
by CoderGoblin