Page 1 of 1

disguising variables in links?

Posted: Wed Oct 27, 2004 3:37 am
by irealms
I have set up some security checks to stpo variables being misused in links, but it there a way of disguising the link itself? or the variables within the link?

Posted: Wed Oct 27, 2004 3:48 am
by patrikG
Although I personally haven't used for this purpose, I'd have a look at [php_man]serialize[/php_man]. Do note, however, that as a rule of thumb, do not exceed 256 characters for a URL. Rumour has it that some browsers can't cope with more (although I personally don't know which ones).

Posted: Wed Oct 27, 2004 3:54 am
by irealms
thanks i'll look into it. :)

The checks i've added check a user variable, id variable and order number against the database and session variables so people can't change numbers to get a match, i mean maybe they could but they'd have to be damn lucky to get it, lol.

Posted: Wed Oct 27, 2004 4:11 am
by irealms
made a small test file to see results:

Code: Select all

<?php
$test = 'test';
$serialized = serialize($test);
echo 'serialized: '.$serialized.'<br />';
$un = unserialize($serialized);
echo 'un: '.$un.'';
?>
and got this :


serialized: s:4:"test";
un: test

the variable test still shows up but inside " and " is this right?







?>

Posted: Wed Oct 27, 2004 4:16 am
by patrikG
if you [php_man]urlencode[/php_man] that, you'll have the desired effect. There might be more elegant ways of doing that, but serialize & urlencode is the first thing that comes to mind.

Posted: Wed Oct 27, 2004 4:26 am
by irealms
ok so i serialize a variable, then urlencode it, then i urldecode and then unserialize?

Posted: Wed Oct 27, 2004 4:29 am
by patrikG
yup

Posted: Wed Oct 27, 2004 4:30 am
by irealms
seems to work i now get:

serialized: s:4:"test";
urlenc: s%3A4%3A%22test%22%3B
urldec s:4:"test";
un: test


:) cheers

Posted: Wed Oct 27, 2004 4:32 am
by patrikG
np :)

Posted: Wed Oct 27, 2004 5:03 am
by irealms
hmm i think with all this the variables might run over 250 chars, so will have to maybe only use the one and draw others within the file from that

Posted: Wed Oct 27, 2004 5:28 am
by irealms
when i serialize this a variable and pass it over a link to get this:

orderno=s:5:"91783";

i then attempt to unserialize using:

unserialize($_GET['orderno']);

and get nothing for some reason.

Posted: Wed Oct 27, 2004 6:17 am
by CoderGoblin
You need to use "urlencode" and "urldecode"...
http://www.php.net/manual/en/function.urlencode.php