Hey guys,
I've been programming now for a long time by sticking god-knows-what into the URL which in some ways has helped (slimming down site sizes) but in other ways has not (prone to SQL injection, have to filter it all, etc etc etc).
How easy it is to encrypt and decrypt variables for use within the URL?
I've tried googling it but I can't really find anything that useful, or that's easy on the noggin.
Can anyone shed any light? It would be much appreciated.
Thanks guys!
Encryption/Decryption
Moderator: General Moderators
- mikeeeeeeey
- Forum Contributor
- Posts: 130
- Joined: Mon Jul 03, 2006 4:17 am
- Location: Huddersfield, UK
anything that you can decrypt, THEY can decrypt.
I would look into using hashes like sha1, sha256 and the like (stay away from md5). An hash is taking a string, turning it into something unrecognizable and being unable to turn it back. How is that useful? Here's an example:
register new user Kryptonite. password = superman
hash of superman = asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099 (or whatever)
stored in database user: Kryptonite, password: asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099
new user Kryptonite logs in with password = supreman (misspelled!)
hash of supreman = fkjdflkj32390dfvdfvdfsdf0d9vu09b9b9b9b0b90bf9uub (or whatever it is)
retrieve password for Kryptonite: asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099
does NOT match: fkjdflkj32390dfvdfvdfsdf0d9vu09b9b9b9b0b90bf9uub (hash of superman)
invalid password!
I would look into using hashes like sha1, sha256 and the like (stay away from md5). An hash is taking a string, turning it into something unrecognizable and being unable to turn it back. How is that useful? Here's an example:
register new user Kryptonite. password = superman
hash of superman = asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099 (or whatever)
stored in database user: Kryptonite, password: asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099
new user Kryptonite logs in with password = supreman (misspelled!)
hash of supreman = fkjdflkj32390dfvdfvdfsdf0d9vu09b9b9b9b0b90bf9uub (or whatever it is)
retrieve password for Kryptonite: asdflkj23r23409hsfvnsodifnl32402943u09sj0f9sdf099
does NOT match: fkjdflkj32390dfvdfvdfsdf0d9vu09b9b9b9b0b90bf9uub (hash of superman)
invalid password!
- mikeeeeeeey
- Forum Contributor
- Posts: 130
- Joined: Mon Jul 03, 2006 4:17 am
- Location: Huddersfield, UK
Encrypting variables for POST/GET is not going to be a good way to filter data, you will still be prone to SQL injection for any content that the end user submits.
For instance, if you have a text field where the user can enter whatever, you will need to encrypt it client side before it gets sent. That blows any secrets you might have about your encryption. Then when you decrypt it you will still need to filter it before you use it in any sql since you will have happily encrypted then decrypted any SQL injection attempt that the person may have typed. So no matter what you do you are still going to need to filter/check POST arguments.
For plain URL type arguments, like id=1, if you encrypt that into id=ggkda, you will still need to check the input to make sure that it is valid before/after you decrypt it because if they change that data it will still cause errors on the server side. There are ways to encode the entire set of URL parameters into one string I believe, then you would generate all the links server side and code a router to turn it back into parameters. I don't know if that buys you much security though.
For instance, if you have a text field where the user can enter whatever, you will need to encrypt it client side before it gets sent. That blows any secrets you might have about your encryption. Then when you decrypt it you will still need to filter it before you use it in any sql since you will have happily encrypted then decrypted any SQL injection attempt that the person may have typed. So no matter what you do you are still going to need to filter/check POST arguments.
For plain URL type arguments, like id=1, if you encrypt that into id=ggkda, you will still need to check the input to make sure that it is valid before/after you decrypt it because if they change that data it will still cause errors on the server side. There are ways to encode the entire set of URL parameters into one string I believe, then you would generate all the links server side and code a router to turn it back into parameters. I don't know if that buys you much security though.
- mikeeeeeeey
- Forum Contributor
- Posts: 130
- Joined: Mon Jul 03, 2006 4:17 am
- Location: Huddersfield, UK
That is incorrect, a hash is a one way algorithm. It is statistically impossible to reverse a hash and get the original message. Since you cannot decrypt a hash, this isn't what you want to use for encrypting your GET parameters.Chalks wrote: An hash is taking a string, turning it into something unrecognizable and being unable to turn it back.
However, a hash as pointed out, is the way you want to store passwords in a DB. If someone gets ahold of the data they still won't have the passwords as long as you practice proper encryption practices. They will actually need to get to your source as well in order to login as someone else.
Last edited by Begby on Tue Jul 24, 2007 10:32 am, edited 1 time in total.
Isn't that what I said "being UNABLE to turn it back"?Begby wrote:That is incorrect, a hash is a one way algorithm.Chalks wrote: An hash is taking a string, turning it into something unrecognizable and being unable to turn it back.
unless you're checking the parameters against something that was already stored... like a password (see my above example).Begby wrote:It is statistically impossible to reverse a hash and get the original message. Since you cannot decrypt a hash, this isn't what you want to use for encrypting your GET parameters.
edit: You're welcome Mikeeeeeeey.