Hi, There are a couple of ways to do that then.
You can either place a checksum in the query string, using MD5. Or You could encrypt all the details in the string and then decrypt it when they call it. Or In the database or whatever holds the report you could generate a unique hash and store that in the DB and supply them with that in the query string. That way you just look up the report on the param in the query and use that. There are many ways to do it. The last one would be the quickest to execute as you are not, generating hashes or encrypting\decrypting each time. Adam ----- Original Message ----- From: "Steve Comrie" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 07, 2003 10:43 AM Subject: Re: [cgiapp] Re: URL Encryption > Mark, > > The problem I'm having is that the report section of my app needs to be > viewable to users without a password (as per the client's request) but our > client has many clients, each of whom may have access to different reports. > Our client will be sending each client a URL for each report they are able > to view. > > I never really know which reports our client will deem viewable by which of > their clients, so I need an easy / secure way to make sure 'Client A' that > receives /report.cgi?id=200 can't URL hack the id=200 to be id=199 which may > be a report meant for 'Client B'. > > I could come up with a quick solution using crypt() on the reportid and > including the result in the arguments along with the report id: > /report.cgi?id=200enc=a23dj7923h or possible doing a simple encryption on > the report id itself /report.cgi?id=2dj872. I was just wondering what > techniques other people are using to get around this same challenge. > > --- > Steve Comrie > > ----- Original Message ----- > From: "Mark Stosberg" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, October 06, 2003 10:31 PM > Subject: [cgiapp] Re: URL Encryption > > > > On 2003-10-06, Steve Comrie <[EMAIL PROTECTED]> wrote: > > > I know there's a couple people on the list that have mentioned it before > and > > > I haven't had a use for it up until now, but what techniques / CPAN > modules > > > are being used to encrypt static URL's to prevent URL hacking? > > > > By static URL, I assume you mean a "GET" style query string, not just > > the URL of a static page. > > > > My applications tend to be (Postgres) database backed. Often I pass > > around primary ids of table rows (instead of the data). Or, if a user > > has some data that is specific to them, it can be stored in session > > table, and just the session_id is passed. Lately, I've been using > > CGI::Session for that, and I will be start using my own > > CGI::Session::PureSQL module with it soon. > > > > "PureSQL" stores data in the standard database way of one value per > > column, rather than the default CGI::Session method of serializing all > > the data into a Perl data structure in a single DB column. That will be > > released on CPAN once its cleaned up a bit. > > > > I noticed that someone wrote CGI::Session::Auth, which adds extra > > functions to check for "logged_In" and so forth. I may look more into > > that module as well. > > > > Mark > > > > -- > > http://mark.stosberg.com/ > > > > > > --------------------------------------------------------------------- > > Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ > > http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ > http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.522 / Virus Database: 320 - Release Date: 30/09/2003 --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/[EMAIL PROTECTED]/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
