Re: Passing URL parameters, how to hide

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



are you using native encryption from the database ?


Stuart
--- jasper@xxxxxxxxxxxxx wrote:

> the encryption is random, there is no algorithm to
> break it, I'm not going
> to argue against any of the other problems with this
> system, but no one is
> going to be able to break this algorithm, its 14
> characters of lowercase and
> upper case letters and numbers, in random order.
> 
> 
>
-------------------------------------------------------------->>
> Jasper Howard :: Database Administration
> Velocity7
> 1.530.470.9292
> http://www.Velocity7.com/
>
<<--------------------------------------------------------------
> ----- Original Message ----- 
> From: "Stuart Felenstein" <stuart4m@xxxxxxxxx>
> To: "Jasper Howard" <jasper@xxxxxxxxxxxxx>;
> <php-db@xxxxxxxxxxxxx>
> Sent: Tuesday, September 21, 2004 1:03 AM
> Subject: Re:  Passing URL parameters, how to
> hide
> 
> 
> > Up front it sounds like a good option.  However,
> my
> > first thought is, entering another encrypted id
> just
> > puts me back to the same problem.  How easy would
> it
> > be for someone to break the encryption algorithm ?
>  My
> > guess is that it would be easy.
> >
> > Stuart
> > --- Jasper Howard <jasper@xxxxxxxxxxxxx> wrote:
> >
> > > When I created a business management script for
> the
> > > business I work for, it
> > > was important that ids in url's were encrypted.
> What
> > > I did was create a code
> > > for each item that needed one. My encryption
> table
> > > fields looked something
> > > like: enc_id, encryption, table, id where enc_id
> was
> > > the unique identifier
> > > in this table, encryption was the 14 character
> code,
> > > table was the table
> > > that the encrypted data was stored in, and id
> was
> > > the id of the encrypted
> > > data. That was you can pass the 14 digit code in
> the
> > > html, then when you
> > > need to use it in a php script you can just make
> a
> > > function that returns the
> > > data from the database from the encryption code.
> For
> > > extra security (since
> > > someone could just remember the encryption code)
> I
> > > added a cron job script
> > > that changed the encryptions every midnight. If
> > > anyone thinks something like
> > > this would work for them, some thing to remember
> is
> > > that you need to make
> > > sure that when you add an item to the encryption
> > > table in the db that each
> > > code is unique.
> > >
> > > -- 
> > >
> > >
> > >
> >
>
-------------------------------------------------------------->>
> > > Jasper Howard :: Database Administration
> > > ApexEleven Web Design
> > > 1.530.559.0107
> > > http://www.ApexEleven.com/
> > >
> >
>
<<--------------------------------------------------------------
> > > "Stuart Felenstein" <stuart4m@xxxxxxxxx> wrote
> in
> > > message
> > >
> >
>
news:20040920221627.4201.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > > > I'm restarting this post.  I thought I was out
> of
> > > the
> > > > woods, but not.
> > > > Here situation, in most of my update forms
> which
> > > > involve 1 record, passing a session variable ,
> > > usually
> > > > the users ID is enough. No URL param passing.
> > > >
> > > > Not so in two update forms I have where there
> are
> > > > multiple records for each user.  If I pass a
> > > session
> > > > variable it only brings up the first record. 
> So
> > > > unless I am missing something, I must pass the
> > > record
> > > > ID via a URL parameter.  That works just
> great,
> > > but
> > > > the problems lies in the fact, that all anyone
> > > would
> > > > need to do is change recordID=1 to recordID=2
> and
> > > they
> > > > can see someone elses record, which is
> supposed to
> > > > confidential.
> > > >
> > > > Now I've looked at sights like Monster,
> Amazon,
> > > Ebay,
> > > > and tried changing the recordID in the URL
> area,
> > > but
> > > > it either ignores my change or kicked back an
> > > invalid
> > > > ID.
> > > > This is even if I remove the other ID's from
> the
> > > line.
> > > >
> > > >
> > > > So, I'm sure this has been dealt with more, I
> > > don't
> > > > have the foggiest clue yet though how I can
> > > implement
> > > > something that either hides, or prevents a
> user
> > > from
> > > > going through records in the database by
> changing
> > > the
> > > > id number.
> > > >
> > > > Appreciate any suggestions or ideas.
> > > >
> > > > Thank you,
> > > > Stuart
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --- Stuart Felenstein <stuart4m@xxxxxxxxx>
> wrote:
> > > >
> > > > > Turned out "hiding" the id wasn't necessary
> as
> > > the
> > > > > awaiting update page can grab the session
> ID.
> > > > > I wasn't thinking. Sorry
> > > > > Stuart
> > > > > --- John Holmes <holmes072000@xxxxxxxxxxx>
> > > wrote:
> > > > >
> > > > > > Stuart Felenstein wrote:
> > > > > > > I'm still confused over one aspect of
> URL
> > > > > > parameters.
> > > > > > > As far as a form passing data back to
> the
> > > > > server,
> > > > > > I
> > > > > > > understand about get, post and replace.
> > > > > > >
> > > > > > > Here is my problem.
> > > > > > > I have an update form.  User is logged
> in to
> > > the
> > > > > > > system and needs to update whatever
> > > information.
> > > > > > > Right now I'm including in the link the
> > > user's
> > > > > ID,
> > > > > > so
> > > > > > > when they arrive at the update page,
> their
> > > > > record
> > > > > > will
> > > > > > > be displayed.
> > > > > > > The problem is all one has to do is
> change
> > > the
> 
=== message truncated ===

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux