How to hide URL parameters

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

How to hide URL parameters

Post by raghavan20 »

I want to hide all the parameters passed via URL which can be accessed by GET. I just want to show the name of the file alone instead of all the parameters showing up.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Methods to pass data:

$_GET
$_POST
$_COOKIE
$_SESSION
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

I dont know whether you have replied to this question.

ex: http://domain.com/somefile.php?var1=2&v ... ar3=action

When you click on the url, I want the url as

http://domain.com/somefile.php


How to do this?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

It would be silly (and dangerous) if Javascript could change the URL displayed in the location box. It would allow one to spoof a site easily...

If you don't like http://domain.com/somefile.php?var1=2&v ... ar3=action ($_GET) just make sure you store var1, var2 and var3 in $_POST, $_COOKIE or $_SESSION. This way the user doesn't see them in the URL.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

Alright, thanks for the suggestion.

If you had look at ebay url, they used to encrypt parameters and the links are mostly not understandable. How do they do that in asp.net and can it be done in PHP too?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

You can use en/decryption.. But in that case you are still showing them..
theda
Forum Contributor
Posts: 332
Joined: Sat Feb 19, 2005 8:35 am
Location: USA

Post by theda »

And unless you are passing dynamic data through those encrypted variables, it would be extremely easy to figure out what the parts do. Like if you had var=do encrypted (although I didn't think that could happen, unless it's just var=encrypted), you could easily figure out what encrypted does by just switching it around until it works.

If you REALLY wanted uber PHP security, why not use a mysql database to store the data, and then on the next page load it back up? I mean sure, that's probably a novice way around security... But wouldn't that work? Well, I'm sure encrypting data then inputting into mysql, then taking it out, and decrypting would be best. But that would be the best way, I think, for securing sensitive data. If it's just a variable to set how your website functions (like theme=color changes themes...), then I'd just ignore it.

Now, I'd think the mysql way would be pretty useful unless your page reloads every time you click a link. I might try that out sometime.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

But if we gonna encrypt and decrypt every url variable, do you think it would slow down the application?

How many good websites do you think they encrypt all the url variables?

In many sites, I do see that they display the domain alone not even the filename. I have seen them in a few forums.

But I was thinking, if any user can change the values like
ex: somefile.php?action=editPost&id=22
user tries to: somefile.php?action=editPost&id=50
if the user can change that id = 50 to edit another user's post, then we can stop by validating whether the user is allowed to do it by seeing the owner of the post in the db

Is it a good practice to find out whether an user can carry out an operation and sending the url variables in plain text?
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

before you allow someone to edit a post purely by passing the parameters, check they have permissions to access that ID?

i thought that was standard :wink:
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

In all of your actions carried out by users, members, or site guests, you should check that they have permissions to do so

For example if someone's editing a forum post being logged in with a cookie (user)

Code: Select all

$postbeingedited = $_GET['postid']
// query to select author for that post

if($_COOKIE['user'] != $postauthor)
{
  die("you're not authorized to edit this post");
} ELSE
{
  // edit post
}
Post Reply