URL Masking

klaus

Hi,

I'm trying to protect the inner side of the execution - the indirect one.

For example if someone is trying to search for something like your-domain.com/search.php?new_search.....
would be something masked like:
domain.com/search.php?id=&la=ita&af=&de=&pl=1&ca=3aac7ec3a5cc8&aa=&bb=&cc=&dd=

& you can choose to do what ever you wanna search & you'll always get this http://your-domain.com/search.php?id=&la=ita&af=&de=&pl=1&ca=3aac7ec3a5cc8&aa=&bb=&cc=&dd=

How can this be done in php?!! Did someone found some solution like this befor?!! I know that this might be easy,... but I've no idea how this can be done. For a quick reference of the sample you can look at register.com and also register.it (this one is a php site which is parsing html as php) querry. They protected their access recently to the whois interface. Can someone give me a hand to solve this out?

Any idea would be very appritiated.
Thanks.

-Gord

Anon

try to use frames.

klaus

Hi Lauri,

Frames?!! Look I'm not talking about the URL Cloaking,... ;-) I'm talking about the url execution protection. Executed URL Masking. Look just go to register.it (by the way don't buy any domain there because they're expensive exactly as the assasins are. ;-))) & then choose to querry a domain. ;-) Then you'll see in the URL Address place (of your browser) that what I was talking about. Yeah,... exactly. I wanna hide all inner files & the executed URL that shouldn't suppossed to be seen from outside. Like this:
domain.com/search.php?id=&la=ita&af=&de=&pl=1&ca=3aac7ec3a5cc8&aa=&bb=&cc=&dd=

Register.com did the same thing & so on.
Any idea Lauri, how this could be done? I'm driving myself crazy to find a solution for it. It shure is a nice challange for all of us. Any idea fallks?

Thanks Lauri.

-Gord

jcleary

I think register.com are using sessions in the url. i suppose they save the variables into session variables and then just pass the session ID.

Would that work? I'm not sure.

John

klaus

Hi,

John Cleary wrote:

I think register.com are using sessions in the url. i suppose they save the variables into session variables and then just pass the session ID.

Session in the URL. That's interesting indead. & passing variables into the session variables. That make sence.

Can you give me a practical example please?
I'm probably having a confused ideas, so I wanna see how this might be done practicly.

But on the other way... it's not accepting standard url querry even if you're trying to access it from their url.

For example the normal querry is:

http://www.register.com/whois-results.cgi?1|2129832291|CO1&domain=register.com

& you'll get an answer like this (It's not a leach - bandwith protection I think):
This page is not directly accessible.

& the new protected URL is now:

http://www.register.com/whois-results.cgi?b9bcf18bfc9200ca15935f6f802995c157ff8f2401528455b5d00c246aa261b6

Any idea. Thanks John.

-Gord.

jcleary

Gord

I'm really not sure how register.com do it! It lookes like they are using session IDs, but they have created different ones for each link on the page. You could do this yourself by created pseudo-session id and storing them in a table agains the links.

So you would have to create a table and have an entry in it for every link on your page you wanted to protect. Then, when a user clicked on the link you could use fopen to read the results of the url into the file, so your magic script would just be

$sql_id = mysql_query("select query from table where id=".session_id());
$row = mysql_fetch_array($sql_id);

$fp = fopen($row["query"]);
while (!feof($fp)) {
$buffer = fgets($fp, 4096);
echo $buffer;
}
fclose($fp);

and I suppose you could build in a function to strip out urls and replace them with pseudo-session ids

Hope this helps
John

klaus

Hi,

John Cleary wrote:

I suppose you could build in a function to strip out urls and replace them with pseudo-session ids

Yeah, that's exactly what I would like to do.
MySql is not my strong side, but I'll try to stick in it something that might work. If they did it so can I. That's a good start.

Thanks John.

-Gord

Anon

Ok
I think they are using somekind of array where array keys are variable names and key values are variablevalues. then they using implode function to convert array to a string and after explode to convert string back to array and get all values.

Anon

Try urlencode() urldecode() functions...

klaus

Hi Dimitriy,

Dmitriy Nesterkin wrote:

Try urlencode() urldecode() functions...

This might probably be the best solution to my problem. Can you give me an example of that coding with it. I mean the complete one.

I saw a sample of it at the php.net
If you know where can I find a practical already completelly working code of it (an url tha is encoded & decoded in the small script) please just let me know. Just post the URL.

By the way did you try it? Did you encounter any problem with the stability of the URLs? Were they easily accessible, or with a difficulty? A friend of mine did it with a mysql integration (and he\'s so jelous on his code - another closed mentality in the open source), but with a system that only he can understand, & is very unstable. Looks like asp in trouble. You know like \"It\'s impossible to visualise this page. OR This page doesn\'t exist.\" Depands from your inactivity on tht page. If you\'re fast with navigating is okay, otherwise... He done something wrong...

Can you share that secret with us please?
I appritiate your help very much. & this sure is a very good start. Thanks.

-Gord

Anon

Sure there is a lot of good stuff at http://conf.php.net. This is a conference web site for php.net and it contains web based slides that have some cool info. You won't lose by checking all of it... On several of these slides Rasmus Lerdof shows how to use urlecode funtions.