I am developing an HTTP server application (in PHP, it so happens). I am concerned about table IDs appearing in URLs. Is it possible to encrypt URL variables and values to protect my application?
-
1@deceze: I was so tempted to simply answer with a 'yes.' But I figured the moment of joy probably wasn't worth the inevitable (and justifiable) rep-hit...ah, my cowardice...David Thomas– David Thomas2010-12-19 00:14:50 +00:00Commented Dec 19, 2010 at 0:14
-
just would like to know how to encrypt any vars that get thrown into a url.Adamski– Adamski2010-12-19 00:18:34 +00:00Commented Dec 19, 2010 at 0:18
-
That's fine, but you've got to have a use case in mind. Usually encrypting URL vars is unnecessary and misses the point of what you're actually trying to achieve.deceze– deceze ♦2010-12-19 00:21:41 +00:00Commented Dec 19, 2010 at 0:21
-
oh ok, so for sensitive information best to use sessions then, are table Ids etc safe to throw in the GET var?Adamski– Adamski2010-12-19 00:25:07 +00:00Commented Dec 19, 2010 at 0:25
-
Encryption requires sender and receiver to agree on the encryption keys used. Hiw do the web browser and PHP server do this? If the means for doing that is not secure you have gained nothing.Raedwald– Raedwald2015-04-21 19:28:20 +00:00Commented Apr 21, 2015 at 19:28
Add a comment
|
4 Answers
oh ok, so for sensitive information best to use sessions then, are table Ids etc safe to throw in the GET var?
Yes, sensitive information must not leave your server in the first place. Use sessions.
As for "are table ids safe in the URL": I don't know, is there anything bad a user could do knowing a table id? If so, you need to fix that. Usually you need to pass some kind of id around though, whether that's the "native table id" or some other random id you dream up usually doesn't matter. There's nothing inherently insecure about showing the id of a record in the URL, that by itself means absolutely nothing. It's how your app uses this id that may or may not open up security holes.
Additionally think about whether a user can easily guess other ids he's not supposed to know and whether that means anything bad for your security.
Security isn't a one-off thing, you need to think about it in every single line of code you write.
Comments
Sounds like you want to pass sensitive information as a GET param.
Don't do that - use $_SESSION if you can.
However, if you want your params encoded (i.e. => +) use urlencode().
$a = 'how are you?';
echo urlencode($a); // how+are+you%3F
Comments
You can encrypt what you pass before you transmit, or you can run the entire communication over an encrypted channel (https or ssh for instance).
1 Comment
Basic
There are slight issues with using SSL in that as it's a GET parameter, it will be visible to the user - which may not be desired. That said, it's a very easy to implement solution that solves 95% of usage scenarios
Your GET variables are called whatever you choose to call them, and assigned whatever values you choose to give them. So, yes: they can certainly be encrypted or, if you'd rather, simply obscured. If you're planning to encrypt variables, then PHP has quite a few options available.
For the above, I'd recommend using something like urlencode.
In general I'd suggest using POST instead of GET, assuming you're getting your variables from a form element. On the other hand it might be even wiser to use session variables.
