On Sep 2, 2005, at 1:42 PM, Aparajita Fishman wrote:
You can't decode MD5. It's a one-way hash.
One of the reasons I was asking. Obviously that's not exactly what he is doing, but he's doing something worth investigating.
I would still like to know _why_ you want to encrypt the link, that will help me suggest a solution.
For example, a list of transactions/invoices. Each row in the table has a link to a detail page. "detail.a4d?t=123456".
Nothing prevents a user from editing the URL to "detail.a4d?t=654321" and thus viewing a page not intended for them. If one encrypts the variables passed, simply editing the URL is much, much less likely to result in a valid URL.
What I am currently doing is checking whether the requested transaction/invoice belongs to the company of the user. We log approximately a dozen attempts a day of users trying to access invoices that are not theirs. Were we to encrypt the variable URL data, I would still check to see if the invoices belong to them before displaying, but the users would be that much less likely to try, time and again anyway, and both my client and more than a few of their clients would look at this as an extra security step.
-- Bart Alcorn AvantraNet, Inc. Office: 678-580-3265 Mobile: 770-335-5518 AIM/iChat: AvantraNet _______________________________________________ Active4D-dev mailing list [email protected] http://mailman.aparajitaworld.com/mailman/listinfo/active4d-dev Archives: http://mailman.aparajitaworld.com/archive/active4d-dev/
