Page 1 of 1

How to hide URL parameters

Posted: Fri Jul 29, 2005 7:01 pm
by raghavan20
I want to hide all the parameters passed via URL which can be accessed by GET. I just want to show the name of the file alone instead of all the parameters showing up.

Posted: Fri Jul 29, 2005 7:31 pm
by timvw
Methods to pass data:

$_GET
$_POST
$_COOKIE
$_SESSION

Posted: Fri Jul 29, 2005 7:46 pm
by raghavan20
I dont know whether you have replied to this question.

ex: http://domain.com/somefile.php?var1=2&v ... ar3=action

When you click on the url, I want the url as

http://domain.com/somefile.php


How to do this?

Posted: Fri Jul 29, 2005 7:52 pm
by timvw
It would be silly (and dangerous) if Javascript could change the URL displayed in the location box. It would allow one to spoof a site easily...

If you don't like http://domain.com/somefile.php?var1=2&v ... ar3=action ($_GET) just make sure you store var1, var2 and var3 in $_POST, $_COOKIE or $_SESSION. This way the user doesn't see them in the URL.

Posted: Sat Jul 30, 2005 5:23 am
by raghavan20
Alright, thanks for the suggestion.

If you had look at ebay url, they used to encrypt parameters and the links are mostly not understandable. How do they do that in asp.net and can it be done in PHP too?

Posted: Sat Jul 30, 2005 7:12 am
by timvw
You can use en/decryption.. But in that case you are still showing them..

Posted: Sat Jul 30, 2005 10:11 am
by theda
And unless you are passing dynamic data through those encrypted variables, it would be extremely easy to figure out what the parts do. Like if you had var=do encrypted (although I didn't think that could happen, unless it's just var=encrypted), you could easily figure out what encrypted does by just switching it around until it works.

If you REALLY wanted uber PHP security, why not use a mysql database to store the data, and then on the next page load it back up? I mean sure, that's probably a novice way around security... But wouldn't that work? Well, I'm sure encrypting data then inputting into mysql, then taking it out, and decrypting would be best. But that would be the best way, I think, for securing sensitive data. If it's just a variable to set how your website functions (like theme=color changes themes...), then I'd just ignore it.

Now, I'd think the mysql way would be pretty useful unless your page reloads every time you click a link. I might try that out sometime.

Posted: Sun Jul 31, 2005 4:50 am
by raghavan20
But if we gonna encrypt and decrypt every url variable, do you think it would slow down the application?

How many good websites do you think they encrypt all the url variables?

In many sites, I do see that they display the domain alone not even the filename. I have seen them in a few forums.

But I was thinking, if any user can change the values like
ex: somefile.php?action=editPost&id=22
user tries to: somefile.php?action=editPost&id=50
if the user can change that id = 50 to edit another user's post, then we can stop by validating whether the user is allowed to do it by seeing the owner of the post in the db

Is it a good practice to find out whether an user can carry out an operation and sending the url variables in plain text?

Posted: Sun Jul 31, 2005 5:53 am
by malcolmboston
before you allow someone to edit a post purely by passing the parameters, check they have permissions to access that ID?

i thought that was standard :wink:

Posted: Sun Jul 31, 2005 9:39 am
by s.dot
In all of your actions carried out by users, members, or site guests, you should check that they have permissions to do so

For example if someone's editing a forum post being logged in with a cookie (user)

Code: Select all

$postbeingedited = $_GET['postid']
// query to select author for that post

if($_COOKIE['user'] != $postauthor)
{
  die("you're not authorized to edit this post");
} ELSE
{
  // edit post
}