Page 1 of 1

URL encrypt

Posted: Wed Sep 05, 2007 1:15 am
by shivam0101
I want to use a link in email. The link will contain url like, mysite.com?process=accept&id=10. I want to encrypt this url and again decrypt when the users enters the site without using mycrypt.

Thanks

Posted: Wed Sep 05, 2007 1:51 am
by Mordred
Why?

Posted: Wed Sep 05, 2007 2:26 am
by shivam0101
I do not have access to server to install.

Posted: Wed Sep 05, 2007 2:54 am
by jmut
I think Mordred was asking why want to encrypt in first place.

Generally such things are done with creating relatively long complex (letters,digits etc) string that is valid for 24 hours for example. And once customer click it...you check against database and invalidated it.
Customers are used to this and I don't see real security problem with it.

Posted: Wed Sep 05, 2007 6:17 am
by shivam0101
it contains some ids which client does not want to show.

I am also facing another problem, Since it is related to first problem, i am posting here itself.

in the email link,

Code: Select all

<a href='mysite.com/process_page.php?process=accept&id=10'>
if the user has not logged in it will be redirected to index page. On entering his username and password, he will be directed to the appropriate page.

There will be different urls which the clients will be receiving and on each type different page and process changes.

I tried to store the pagename and id in sessions.

For example, in process.php

Code: Select all

$id=$_GET['id'];
    $_SESSION['form_email']=array('process.php', $id);
below this, i am checking for valid users. Then it will be directed to index.php

In the index.php,

Code: Select all

$from_email=$_SESSION['form_email'];
when the username and password is validated and if it is true,

Code: Select all

if(!empty($from_email))
   $cls_obj->Redirect("$from_email[0]");
  else
   $cls_obj->Redirect("homepage.php);

The problem is, when it goes to process.php, the id gets lost.

Another thing is, if the user has the option of directly entring the site and click the url. So,

Code: Select all

$_GET['id']
is also used for that purpose also.

Is there any easier way of doing it?

Posted: Wed Sep 05, 2007 8:24 am
by superdezign
shivam0101 wrote:it contains some ids which client does not want to show.
Then generate different ids from those ids and/or create randomly generated ids and use those instead.

Posted: Wed Sep 05, 2007 8:54 am
by CoderGoblin
Anything you send via get or post can simply be duplicated. One way of avoiding this is to send something like a checksum. If you use sessions for instance checksum could be

Code: Select all

$id=10;
$chksum=substr(md5('uniqtxt'+$id+session_id()),3,5); // numbers and uniqtxt an example only.
echo "<a href=\"mysite.com/process_page.php?process=accept&chksum={$chksum}&id={$id}\">";
When you process the next page you compare the chksum md5 value it should have created for that id...

Code: Select all

if (substr(md5('uniqtxt'+$id+session_id()),3,5) == $_GET['chksum']) {
   //process
} else {
  echo 'Naughty person....';
}
Of course the checksum used is up to you but this sort of system works in general. The addition of uniqtxt adds an extra level of security for the md5 but is not 100% unbreakable. The question is who would really bother.

If the session_id changes the id will not work and you get the message naughty person. If you never want the person to access the same page simply recreate a new session_id after processing. You could even store something in a database to use as part of the checksum.