How do I ignore URL passed variables except for the one I want?

marshallm

I've written an application that passes variables back and forth through the URL as the user bounces between pages. We decided that we want to "hide" what those variables are, so the user can't arbitrarily change them to make things happen that shouldn't. So, we've encrypted the variable string.

Instead of seeing:
...index.php?startDate=2001-01-01&endDate=2002-01-01&building=1

They instead see:
...index.php?1e826a92f309b8271c0091e7a8d92839af3b1b918

This works great, however, if they manually enter:
...index.php?startDate=2001-01-01&endDate=2002-01-01&building=1

It still works, which is bad. I'm currently accessing the encrypted string with $_SERVER['argv'][0]. Register Globals is OFF. I guess I need a way to ignore every variable passed EXCEPT argv[0], or somehow unset argv[] after I check argv[0] to see if it is decryptable. I guess I could rename the variables, but they could still pass them through the URL if they discover the name somehow. Or maybe I'm going about this all wrong. :bemused:

Any thoughts? Thanks.

Mark

bbreslauer

Well, if you can in fact unset them (which I don't see why you couldn't), you could just use unset() inside a foreach loop, in order to get rid of all other passed variables.

Of course, if your users figure out the encryption you use, they could still create a string with those variables, send it through the encryption function, and put that into the URL. So that's still not foolproof.

marshallm

Neither is locking my front door, but I do it anyway. 😉