Page 1 of 1
How to hide URL parameters
Posted: Fri Jul 29, 2005 7:01 pm
by raghavan20
I want to hide all the parameters passed via URL which can be accessed by GET. I just want to show the name of the file alone instead of all the parameters showing up.
Posted: Fri Jul 29, 2005 7:31 pm
by timvw
Methods to pass data:
$_GET
$_POST
$_COOKIE
$_SESSION
Posted: Fri Jul 29, 2005 7:46 pm
by raghavan20
I dont know whether you have replied to this question.
ex:
http://domain.com/somefile.php?var1=2&v ... ar3=action
When you click on the url, I want the url as
http://domain.com/somefile.php
How to do this?
Posted: Fri Jul 29, 2005 7:52 pm
by timvw
It would be silly (and dangerous) if Javascript could change the URL displayed in the location box. It would allow one to spoof a site easily...
If you don't like
http://domain.com/somefile.php?var1=2&v ... ar3=action ($_GET) just make sure you store var1, var2 and var3 in $_POST, $_COOKIE or $_SESSION. This way the user doesn't see them in the URL.
Posted: Sat Jul 30, 2005 5:23 am
by raghavan20
Alright, thanks for the suggestion.
If you had look at ebay url, they used to encrypt parameters and the links are mostly not understandable. How do they do that in asp.net and can it be done in PHP too?
Posted: Sat Jul 30, 2005 7:12 am
by timvw
You can use en/decryption.. But in that case you are still showing them..
Posted: Sat Jul 30, 2005 10:11 am
by theda
And unless you are passing dynamic data through those encrypted variables, it would be extremely easy to figure out what the parts do. Like if you had var=do encrypted (although I didn't think that could happen, unless it's just var=encrypted), you could easily figure out what encrypted does by just switching it around until it works.
If you REALLY wanted uber PHP security, why not use a mysql database to store the data, and then on the next page load it back up? I mean sure, that's probably a novice way around security... But wouldn't that work? Well, I'm sure encrypting data then inputting into mysql, then taking it out, and decrypting would be best. But that would be the best way, I think, for securing sensitive data. If it's just a variable to set how your website functions (like theme=color changes themes...), then I'd just ignore it.
Now, I'd think the mysql way would be pretty useful unless your page reloads every time you click a link. I might try that out sometime.
Posted: Sun Jul 31, 2005 4:50 am
by raghavan20
But if we gonna encrypt and decrypt every url variable, do you think it would slow down the application?
How many good websites do you think they encrypt all the url variables?
In many sites, I do see that they display the domain alone not even the filename. I have seen them in a few forums.
But I was thinking, if any user can change the values like
ex: somefile.php?action=editPost&id=22
user tries to: somefile.php?action=editPost&id=50
if the user can change that id = 50 to edit another user's post, then we can stop by validating whether the user is allowed to do it by seeing the owner of the post in the db
Is it a good practice to find out whether an user can carry out an operation and sending the url variables in plain text?
Posted: Sun Jul 31, 2005 5:53 am
by malcolmboston
before you allow someone to edit a post purely by passing the parameters, check they have permissions to access that ID?
i thought that was standard

Posted: Sun Jul 31, 2005 9:39 am
by s.dot
In all of your actions carried out by users, members, or site guests, you should check that they have permissions to do so
For example if someone's editing a forum post being logged in with a cookie (user)
Code: Select all
$postbeingedited = $_GET['postid']
// query to select author for that post
if($_COOKIE['user'] != $postauthor)
{
die("you're not authorized to edit this post");
} ELSE
{
// edit post
}