How to hide URL parameters
Moderator: General Moderators
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
How to hide URL parameters
I want to hide all the parameters passed via URL which can be accessed by GET. I just want to show the name of the file alone instead of all the parameters showing up.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
I dont know whether you have replied to this question.
ex: http://domain.com/somefile.php?var1=2&v ... ar3=action
When you click on the url, I want the url as
http://domain.com/somefile.php
How to do this?
ex: http://domain.com/somefile.php?var1=2&v ... ar3=action
When you click on the url, I want the url as
http://domain.com/somefile.php
How to do this?
It would be silly (and dangerous) if Javascript could change the URL displayed in the location box. It would allow one to spoof a site easily...
If you don't like http://domain.com/somefile.php?var1=2&v ... ar3=action ($_GET) just make sure you store var1, var2 and var3 in $_POST, $_COOKIE or $_SESSION. This way the user doesn't see them in the URL.
If you don't like http://domain.com/somefile.php?var1=2&v ... ar3=action ($_GET) just make sure you store var1, var2 and var3 in $_POST, $_COOKIE or $_SESSION. This way the user doesn't see them in the URL.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
And unless you are passing dynamic data through those encrypted variables, it would be extremely easy to figure out what the parts do. Like if you had var=do encrypted (although I didn't think that could happen, unless it's just var=encrypted), you could easily figure out what encrypted does by just switching it around until it works.
If you REALLY wanted uber PHP security, why not use a mysql database to store the data, and then on the next page load it back up? I mean sure, that's probably a novice way around security... But wouldn't that work? Well, I'm sure encrypting data then inputting into mysql, then taking it out, and decrypting would be best. But that would be the best way, I think, for securing sensitive data. If it's just a variable to set how your website functions (like theme=color changes themes...), then I'd just ignore it.
Now, I'd think the mysql way would be pretty useful unless your page reloads every time you click a link. I might try that out sometime.
If you REALLY wanted uber PHP security, why not use a mysql database to store the data, and then on the next page load it back up? I mean sure, that's probably a novice way around security... But wouldn't that work? Well, I'm sure encrypting data then inputting into mysql, then taking it out, and decrypting would be best. But that would be the best way, I think, for securing sensitive data. If it's just a variable to set how your website functions (like theme=color changes themes...), then I'd just ignore it.
Now, I'd think the mysql way would be pretty useful unless your page reloads every time you click a link. I might try that out sometime.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
But if we gonna encrypt and decrypt every url variable, do you think it would slow down the application?
How many good websites do you think they encrypt all the url variables?
In many sites, I do see that they display the domain alone not even the filename. I have seen them in a few forums.
But I was thinking, if any user can change the values like
ex: somefile.php?action=editPost&id=22
user tries to: somefile.php?action=editPost&id=50
if the user can change that id = 50 to edit another user's post, then we can stop by validating whether the user is allowed to do it by seeing the owner of the post in the db
Is it a good practice to find out whether an user can carry out an operation and sending the url variables in plain text?
How many good websites do you think they encrypt all the url variables?
In many sites, I do see that they display the domain alone not even the filename. I have seen them in a few forums.
But I was thinking, if any user can change the values like
ex: somefile.php?action=editPost&id=22
user tries to: somefile.php?action=editPost&id=50
if the user can change that id = 50 to edit another user's post, then we can stop by validating whether the user is allowed to do it by seeing the owner of the post in the db
Is it a good practice to find out whether an user can carry out an operation and sending the url variables in plain text?
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
In all of your actions carried out by users, members, or site guests, you should check that they have permissions to do so
For example if someone's editing a forum post being logged in with a cookie (user)
For example if someone's editing a forum post being logged in with a cookie (user)
Code: Select all
$postbeingedited = $_GET['postid']
// query to select author for that post
if($_COOKIE['user'] != $postauthor)
{
die("you're not authorized to edit this post");
} ELSE
{
// edit post
}