how to obfuscate links while working with mysql?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

how to obfuscate links while working with mysql?

Post by leonardobii »

I am very new on this and have been desperately trying to find a way to obfuscate links (what would appear on the address bar). The following works for static pages, but not when working with databases. would there be a creative way to modify this or am I approaching it incorrectly?

Code: Select all

class linkObfuscator
{
	var $seed=0;
	var $referralSeed=0;
	function linkObfuscator($referralSeed=false)
	{
		// new seed, to obfuscate new pages
   		srand();
		$this->seed= rand();
		// old seed, to check access
		if($referralSeed===false or !is_numeric($referralSeed)) {
			$this->referralSeed=$referralSeed;
		} else if(is_numeric($_SESSION['referralSeed'])) {
			$this->referralSeed=$_SESSION['referralSeed'];
			$_SESSION['referralSeed']=$this->seed;
		}	
	}

	function _obfuscate($aLink,$aSeed)
	{
		$sep=(strpos('?',$aLink)===false)?'?':'&';
		return $aLink. $sep ."go=".md5($aSeed .$aLink);
	}
	
	function obfuscate($aLink)
	{
		return $this->_obfuscate($aLink,$this->seed);
	}
	
	function check($anObfuscatedLink)
	{
		$theLink=preg_replace('/(&|\?)go=(\w)+/','',$anObfuscatedLink);
		if($this->_obfuscate($theLink,$this->referralSeed)==$anObfuscatedLink)
			return true;
			
		return false;
	}
}

feyd | Please use

Code: Select all

and

Code: Select all

tags where approriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I don't see why this would have an issue working with something from a database...
leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

Post by leonardobii »

It seems that the obfuscated link, returns obfuscated back to the database and is unrecognizable, causing errors
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

how are you using it? Did you remember to quote the output, because it's returning a string?
leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

Post by leonardobii »

hmm I dont think so, could you give me a proper example?
leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

Post by leonardobii »

this is where we are applying the script:

<?php echo $obf->obfuscate("clasif.php","?codsubgrupo=".$row_jr_subgrupo['codsubgrupoclasificados']); ?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

obfuscate() expects one argument, you're passing two. The second argument (your query component) will not be output.
leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

Post by leonardobii »

I am still having trouble, could you please give me an example or the way you would fix it?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Code: Select all

echo $obf->obfuscate('clasif.php?codsubgrupo='.$row_jr_subgrupo['codsubgrupoclasificados']);
The only real change was removing the comma seperation. :)
leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

Post by leonardobii »

I am still receiving the same error

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '?go=eaabccf037dfe25f1c635857d1635357' at line 1
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

post the code you are using to for the query stuffs
leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

Post by leonardobii »

<a href="<?php echo $obf->obfuscate("clasif.php?codsubgrupo=".$row_jr_subgrupo['codsubgrupoclasificados']); ?>" target="framecontenido"><?php echo $row_jr_subgrupo['descripcionSG']; ?> </a>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

that wouldn't generate an SQL error. What's the code that interacts with MySQL ?
leonardobii
Forum Newbie
Posts: 17
Joined: Fri Sep 02, 2005 8:47 pm

Post by leonardobii »

if (isset($_GET['codsubgrupo'])) {
$codsubgrupo_jr_item = (get_magic_quotes_gpc()) ? $_SESSION['codsubgrupo'] : addslashes($_SESSION['codsubgrupo']);
}
mysql_select_db($database_adm, $adm);
$query_jr_item = sprintf("SELECT * FROM tipoclasificado WHERE tipoclasificado.codsubgrupo=%s",$codsubgrupo_jr_item);
$jr_item = mysql_query($query_jr_item, $adm) or die(mysql_error());
$row_jr_item = mysql_fe
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SELECT * FROM tipoclasificado WHERE tipoclasificado.codsubgrupo=%s

to

SELECT * FROM tipoclasificado WHERE tipoclasificado.codsubgrupo='%s'


and please.. start using the

Code: Select all

and/or

Code: Select all

tags like I asked. (Read the first link in my signature to learn how and what they do)
Post Reply