URL encrypt

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
shivam0101
Forum Contributor
Posts: 197
Joined: Sat Jun 09, 2007 12:09 am

URL encrypt

Post by shivam0101 »

I want to use a link in email. The link will contain url like, mysite.com?process=accept&id=10. I want to encrypt this url and again decrypt when the users enters the site without using mycrypt.

Thanks
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Why?
shivam0101
Forum Contributor
Posts: 197
Joined: Sat Jun 09, 2007 12:09 am

Post by shivam0101 »

I do not have access to server to install.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

I think Mordred was asking why want to encrypt in first place.

Generally such things are done with creating relatively long complex (letters,digits etc) string that is valid for 24 hours for example. And once customer click it...you check against database and invalidated it.
Customers are used to this and I don't see real security problem with it.
shivam0101
Forum Contributor
Posts: 197
Joined: Sat Jun 09, 2007 12:09 am

Post by shivam0101 »

it contains some ids which client does not want to show.

I am also facing another problem, Since it is related to first problem, i am posting here itself.

in the email link,

Code: Select all

<a href='mysite.com/process_page.php?process=accept&id=10'>
if the user has not logged in it will be redirected to index page. On entering his username and password, he will be directed to the appropriate page.

There will be different urls which the clients will be receiving and on each type different page and process changes.

I tried to store the pagename and id in sessions.

For example, in process.php

Code: Select all

$id=$_GET['id'];
    $_SESSION['form_email']=array('process.php', $id);
below this, i am checking for valid users. Then it will be directed to index.php

In the index.php,

Code: Select all

$from_email=$_SESSION['form_email'];
when the username and password is validated and if it is true,

Code: Select all

if(!empty($from_email))
   $cls_obj->Redirect("$from_email[0]");
  else
   $cls_obj->Redirect("homepage.php);

The problem is, when it goes to process.php, the id gets lost.

Another thing is, if the user has the option of directly entring the site and click the url. So,

Code: Select all

$_GET['id']
is also used for that purpose also.

Is there any easier way of doing it?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

shivam0101 wrote:it contains some ids which client does not want to show.
Then generate different ids from those ids and/or create randomly generated ids and use those instead.
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

Anything you send via get or post can simply be duplicated. One way of avoiding this is to send something like a checksum. If you use sessions for instance checksum could be

Code: Select all

$id=10;
$chksum=substr(md5('uniqtxt'+$id+session_id()),3,5); // numbers and uniqtxt an example only.
echo "<a href=\"mysite.com/process_page.php?process=accept&chksum={$chksum}&id={$id}\">";
When you process the next page you compare the chksum md5 value it should have created for that id...

Code: Select all

if (substr(md5('uniqtxt'+$id+session_id()),3,5) == $_GET['chksum']) {
   //process
} else {
  echo 'Naughty person....';
}
Of course the checksum used is up to you but this sort of system works in general. The addition of uniqtxt adds an extra level of security for the md5 but is not 100% unbreakable. The question is who would really bother.

If the session_id changes the id will not work and you get the message naughty person. If you never want the person to access the same page simply recreate a new session_id after processing. You could even store something in a database to use as part of the checksum.
Post Reply