Re: [OpenBD] Encrypting URL's

Thu, 19 Aug 2010 03:25:14 -0700 

Hi Jason,

I'll skip question one, and give you my take on question two.

I do something like this.
Declare two functions:

<cfset variables.enc_key = "secret-hex-key" />
<cfset variables.enc_format = "BLOWFISH" />
<cfset variables.enc_encoding = "HEX" />

<cffunction name="encodeUrl" returntype="string" output="false">
        <cfargument name="url_str" default="" />
<cfset return_url = encrypt (arguments .url_str ,variables.enc_key,variables.enc_format,variables.enc_encoding) /> 
        <cfreturn urlencodedformat(return_url) />
</cffunction>

<cffunction name="decodeUrl" returntype="void" output="false">
        <cfif len(cgi.query_string) gt 0>
                <cfset qs = urldecode(cgi.query_string) />
<cfset qs = decrypt (qs,variables.enc_key,variables.enc_format,variables.enc_encoding) /> 
                <cfloop from="1" to="#listLen(qs,'&')#" index="i">
                        <cfset varPair = listGetAt(QS,i,'&') />
                        <cfset varName = getToken(varPair,1,'=') />
                        <cfset varVal = getToken(varPair,2,'=') />
                        <cfif varName neq 'cfid' and varName neq 'cftoken'>
                                <cfparam name="url.#varName#" default="#varVal#" 
/>
                        </cfif>
                </cfloop>
        </cfif>
</cffunction>

I can then encrypt a url like so:
http://forums.anandtech.com/forumdisplay.php? #encodeUrl('f=14&order=desc&page=2')#
And decode it and recreate the URL structure on the following page like so: 

<cfset decodeUrl() />

Hey presto, I can reference url variables as normal.

Simples



On 17 Aug 2010, at 21:44, Jason Allen wrote:


1. Should I encrypt url strings so that users are not enticed to play
with them?
2. If so, what is the best way to go about it?

I'm building a site/app and many things are done by passing variables
through url's. I see this done all the time with facebook (profile
id's), forums (page view, sorting), and other sites.

ex.

http://forums.anandtech.com/forumdisplay.php?f=14&order=desc&page=2

I'm just wondering if it's worth the effort to try and obfuscate the
url string for security reasons. I know this isn't limited to just
OpenBD, but as I'm deploying this on OpenBD I'll be looking at how to
do this with it's toolset.

-Jaon

--
Open BlueDragon Public Mailing List
http://www.openbluedragon.org/   http://twitter.com/OpenBlueDragon
official manual: http://www.openbluedragon.org/manual/
Ready2Run CFML http://www.openbluedragon.org/openbdjam/

mailing list - http://groups.google.com/group/openbd?hl=en


--
Open BlueDragon Public Mailing List
http://www.openbluedragon.org/   http://twitter.com/OpenBlueDragon
official manual: http://www.openbluedragon.org/manual/
Ready2Run CFML http://www.openbluedragon.org/openbdjam/

mailing list - http://groups.google.com/group/openbd?hl=en

Reply via email to