URL encrypt
Moderator: General Moderators
-
shivam0101
- Forum Contributor
- Posts: 197
- Joined: Sat Jun 09, 2007 12:09 am
URL encrypt
I want to use a link in email. The link will contain url like, mysite.com?process=accept&id=10. I want to encrypt this url and again decrypt when the users enters the site without using mycrypt.
Thanks
Thanks
-
shivam0101
- Forum Contributor
- Posts: 197
- Joined: Sat Jun 09, 2007 12:09 am
I think Mordred was asking why want to encrypt in first place.
Generally such things are done with creating relatively long complex (letters,digits etc) string that is valid for 24 hours for example. And once customer click it...you check against database and invalidated it.
Customers are used to this and I don't see real security problem with it.
Generally such things are done with creating relatively long complex (letters,digits etc) string that is valid for 24 hours for example. And once customer click it...you check against database and invalidated it.
Customers are used to this and I don't see real security problem with it.
-
shivam0101
- Forum Contributor
- Posts: 197
- Joined: Sat Jun 09, 2007 12:09 am
it contains some ids which client does not want to show.
I am also facing another problem, Since it is related to first problem, i am posting here itself.
in the email link,
if the user has not logged in it will be redirected to index page. On entering his username and password, he will be directed to the appropriate page.
There will be different urls which the clients will be receiving and on each type different page and process changes.
I tried to store the pagename and id in sessions.
For example, in process.php
below this, i am checking for valid users. Then it will be directed to index.php
In the index.php,
when the username and password is validated and if it is true,
The problem is, when it goes to process.php, the id gets lost.
Another thing is, if the user has the option of directly entring the site and click the url. So,
is also used for that purpose also.
Is there any easier way of doing it?
I am also facing another problem, Since it is related to first problem, i am posting here itself.
in the email link,
Code: Select all
<a href='mysite.com/process_page.php?process=accept&id=10'>There will be different urls which the clients will be receiving and on each type different page and process changes.
I tried to store the pagename and id in sessions.
For example, in process.php
Code: Select all
$id=$_GET['id'];
$_SESSION['form_email']=array('process.php', $id);In the index.php,
Code: Select all
$from_email=$_SESSION['form_email'];Code: Select all
if(!empty($from_email))
$cls_obj->Redirect("$from_email[0]");
else
$cls_obj->Redirect("homepage.php);The problem is, when it goes to process.php, the id gets lost.
Another thing is, if the user has the option of directly entring the site and click the url. So,
Code: Select all
$_GET['id']Is there any easier way of doing it?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- CoderGoblin
- DevNet Resident
- Posts: 1425
- Joined: Tue Mar 16, 2004 10:03 am
- Location: Aachen, Germany
Anything you send via get or post can simply be duplicated. One way of avoiding this is to send something like a checksum. If you use sessions for instance checksum could be
When you process the next page you compare the chksum md5 value it should have created for that id...
Of course the checksum used is up to you but this sort of system works in general. The addition of uniqtxt adds an extra level of security for the md5 but is not 100% unbreakable. The question is who would really bother.
If the session_id changes the id will not work and you get the message naughty person. If you never want the person to access the same page simply recreate a new session_id after processing. You could even store something in a database to use as part of the checksum.
Code: Select all
$id=10;
$chksum=substr(md5('uniqtxt'+$id+session_id()),3,5); // numbers and uniqtxt an example only.
echo "<a href=\"mysite.com/process_page.php?process=accept&chksum={$chksum}&id={$id}\">";Code: Select all
if (substr(md5('uniqtxt'+$id+session_id()),3,5) == $_GET['chksum']) {
//process
} else {
echo 'Naughty person....';
}If the session_id changes the id will not work and you get the message naughty person. If you never want the person to access the same page simply recreate a new session_id after processing. You could even store something in a database to use as part of the checksum.