URL variables encrypting

khoang82

I am currently working on a middium size project. For this release, I want to add Secure URL as one of its features. I have codes that encodes and decodes the urls for me. However, going through and encode every single URL in my project takes too long. Is there any way to do it without mannually altering every URL?

khoang82

hm... This is very depressive. No one has any answer to my questions???

Paulus_Magnus

If you're using Dreamweaver, why not find/replace [url]http://[/url] to [url]https://[/url]

Otherwise, I'd suggest using relative URLs all the time or make them switchable on a constant or global. I use $site['url'] throughout my scripts so that it copes with my http://localhost test environment and the live site and I don't have to worry about changing my code anywhere.

khoang82

Finally somebody responds. Thank you very much for responding. The project I am working on has a very strong security in the background that makes it very hard to hack. Actually 5000 lines of code and amost a whole large DB is dedicated to this security scheme. So the problem is really people messing with the url and sometimes make the page display weird things. For exmaple, my project was design for laboratory to use. So some of these folks are not too knowledgable with computer. They might accidentally change something like
http://www.lab.com/lab.php?id=67&phrase=2
to
http://www.lab.com/lab.php?id=76&phrase=2
If they have no permission to the id=76 or that it doesn't exist, my project will block them from accessing it. So these folks will call and complains. So the who idea is to have the url so unreadable that they would not dare to touch it. So the url hashing is to protect them, not the project from intrusion

Khoa

laserlight

wouldnt a simpler solution would be to alter the blocking mechanism to warn that they could have entered an incorrect URL, please double check?

khoang82

well suppose that they try to view file whose id is 68 but the tampered url is point to id 86. Id 86 exists but they have no permission for it. So under their permission setting, file 86 does not exist. So how does the script tell if somebody try to hack into file 86 or it is a mistake. It can't. So it block all.

laserlight

No, you continue to block all.
The difference is that there is a warning message informing the user to check.
If it is a cracking attempt, it makes no difference.
If it isnt, the user might be able to spot his mistake without calling for technical assistance right away.

Paulus_Magnus

You could take parts of the URL, such as id, add some other characters to it and MD5 hash it, so your URL,

http://www.lab.com/lab.php?id=67&phrase=2

becomes

http://www.lab.com/lab.php?id=67&phrase=2&c=298725a2385fd329823e237238

where the c is the hash and you can simply use this as a checksum to ensure the URL is intact. Hash's scare most people. 🙂

khoang82

Originally posted by laserlight
No, you continue to block all.
The difference is that there is a warning message informing the user to check.
If it is a cracking attempt, it makes no difference.
If it isnt, the user might be able to spot his mistake without calling for technical assistance right away.

Well the example I gave is more obvious than others. There are alot of info being passed in. Some variable are more obvious than others. But overall, I do not want user to do any url modification. There might be holes in the security layers that I have never thought of. Also, from reading the url, the user can learn a little bit about the structure of the program. Though it is not easy to understand the whole structure. The bottom line is, the less the user is able to do with the URL, the better.

khoang82

Originally posted by Paulus Magnus
You could take parts of the URL, such as id, add some other characters to it and MD5 hash it, so your URL,

http://www.lab.com/lab.php?id=67&phrase=2

becomes

http://www.lab.com/lab.php?id=67&phrase=2&c=298725a2385fd329823e237238

where the c is the hash and you can simply use this as a checksum to ensure the URL is intact. Hash's scare most people. 🙂

That's what I have it done right now. I believe that I have to hash every static link and url links in the page. However, my boss thinks that there is a automated way to do this. So this thread is dedicated to finding out if such method exists. So if you know of any, do share.