22

Before anyone jumps in and says, "Oh!! that's a bad idea", I know it is.

I want to keep both the key and value in the query string to be not easily visible to the end user. I have something like this google.com/?category=textile&user=user1 I need to make it unintelligible like this: google.com/?kasjdhfkashasdfsf32423

Is there any way to achieve this in javascript. I have already seen this

I have already seen this and this.

but I don't think encoding will solve the problem. Also, this code is entirely in client side. I know that it is not secure but I just need this is a naive, weak defense. Please help.

Edit

I apologize if my question was not clear earlier.

The URL google.com/?category=textile&user=user1 is being passed on from a different application.

The values passed in the query string directly controls what is being displayed to the user. As is, anyone with no technical knowledge can easily change the value and view the data corresponding to a different category or user. I need to make this unintelligible so that it is not obvious. If a user is a techie and figures out the encryption used, then it is fine. I need a stop-gap solution till we have a better architecture in place

Improve this question
14
  • 1
    What is the data you're trying to protect? Can you just submit a form so that values are only passed in the HTTP body. And yes, it is a bad idea, your URLs won't be friendly Commented Nov 6, 2013 at 18:07
  • 2
    Why are you thinking of javascript for this? It's really a matter of generating the scrambled urls and then responding to them on the server side. What is your backend technology? Commented Nov 6, 2013 at 18:07
  • 4
    Oh!! that's a bad idea ;-) Commented Nov 6, 2013 at 18:10
  • 1
    You could use base64. Commented Nov 6, 2013 at 18:10
  • 2
    Defense against what? What kind of data you are trying to secure. Why not simply using a POST so that values aren't part of the URL at all? Do not forget that knowing a resource's URL doesn't matter as long as accessing the resource itself it secured. Commented Nov 6, 2013 at 18:13

2 Answers 2

Reset to default
40

You can use base64. Javascript has native functions to do that :

alert(btoa("category=textile&user=user1")); // ==> Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx

and to reverse it : 

alert(atob("Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx")); // ==> category=textile&user=user1

Be careful to read the doc if you have unicode strings, it's a little different : https://developer.mozilla.org/en-US/docs/Web/API/Window.btoa

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

atob and btoa functions are not supported in IE8 and IE9
You can easily find a polyfill for IE.
@sebcap26., You are awesome man!! Thanks a ton.. I was struggling to resolve an issue in my webpage. Now its working great. But, the issue is sending a string(which has lots of single and double quotes) as a paramater to the function. I was trying to escape those quotes but, couldnt acheive. Finally encrypted and decrypted the string. LOL ... thanks once again..
base64 is not encryption, It's encoding :/
there are so many online tools can decode base64, so data is not secure at all. don't recommend base64
10

If you don't looking for serious strong crypto, you can use ROT13:

http://en.wikipedia.org/wiki/ROT13

This is enough for slightly obfuscate keys/values in the your URLs.

Improve this answer

5 Comments

Thanks.This seems fine for my purpose except that it displays numbers as-is.
If you need little stronger, and "encrypt" numbers, too -- I suggest to use Rot47: rot47.net
This served the purpose and I was able to encrypt numbers also. Thanks for the solution. I would have gone with base64 encoding if it was natively supported
Rot47 vs base64 has 3 advantages: 1. Not well-known, so little difficult to decrypt by standard tools and ideas. 2. Does not increase string length. 3. Procedures encode and decode are same; so enc = rot47(msg); dec = rot47(enc); dec == msg;
Doesn't rot47 generate characters that are not allowed in URLs?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.