Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

encrypt/decrypt

Status
Not open for further replies.

GUJUm0deL

Programmer
Jan 16, 2001
3,676
US
This a follow-up question to thread232-1266217.

I am doing something similar for a client. I don't want to show the dynamic ID in the URL string, so I am doing an encrypt() on the page with the link, and a decrypt() on the page showing the details.

please note: that I have this working. I only need help trying to detect if the user manipulated the URL string

This is how I have set-up:
Code:
[b]APPLICATION.CFM[/b]
<cfset VARIABLES.algorithm = "AES">
<cfset VARIABLES.encoding = "hex">
<cfset VARIABLES.key = GenerateSecretKey(VARIABLES.algorithm)>
<cfset REQUEST.phrase = "454d5a4daSAASSDASD==_+Dada">
[COLOR=blue]I outputted VARIABLES.key to get the value which I hardcode for REQUEST.phrase.  I then pass REQUEST.phrase in place of the "key" attribute in encrypt/decrypt.  I am doing it this way because of an issue noted here: [URL unfurl="true"]http://forums.hostmysite.com/about4161.html[/URL][/color]

[b]PAGE1.CFM[/b]
<cfset VARIABLES.enc = Encrypt('#query.MAIN_ID#', REQUEST.phrase, VARIABLES.algorithm, VARIABLES.encoding)>
<pre>#REQUEST.phrase#</pre>
<a href="page2.cfm?LID=#VARIABLES.enc#">view</a>

[b]PAGE2.CFM[/b]
<cfset dec = Decrypt('#URL.LID#', REQUEST.phrase, VARIABLES.algorithm, VARIABLES.encoding)>

On PAGE2.CFM, I do something like this:
<cfif isdefined("#URL.LID#") and URL.LID NEQ "">
<cfquery name="" datasource="">
</cfquery>
<cfelse>
OOOPPPPPPSSSS!!
</cfif>

What I'd also like to do is have another check to see if the user changed the #URL.LID# value, if the user did redirect them to main page. How can I do that?

As it stands, if i change the value in LID, I get this error message:
There has been an error while trying to encrypt or decrypt your input string: Given final block not properly padded.

The reason I get that error is because "key" on first page is not same as "key" on display page. Is there a way to have another check for this? Or, am I just wasting my time?

____________________________________
Just Imagine.
 
What I basically want to do is check that #URL.LID# is not changed. Something like:

<cfif isdefined("URL.LID") and URL.LID EQ "what goes in here????">
All is good here.....
<cfelse>
URL.LID has been tweaked! Alert!
</cfif>

____________________________________
Just Imagine.
 

You'll have to pass the LID field and the encrypted version across to the page, then do the same encryption of the lid on the action page using the same algorithm, and then do a comparison of the two. if they are the same then there has been no tampering, if they are different then someone changes the value.

It would be better if this was a form submission as the url is going to be quite large

Hope this helps!

Tony
 
Hmmm, what if I take the encrypted data (as it appears in teh URL) and pass that as a hidden form var. Then on the action page compare the URL.LID to FORM.LID1. This way if the URL.LID is tampered with i'll know cause it won't match FORM.LID1

I'll that this weekend, and post my result.

Thanks.

____________________________________
Just Imagine.
 
i'd do this:

Code:
<cfset lid = 22>

<form action="index.cfm?Lid=<cfoutput>#variables.lid#</cfoutput" ....>
  <input type="hidden" name="lid_enc" value="your_encrypted_variable" />
</form>

then on the index page:
Code:
<cfset dec = Decrypt('#URL.LID#', REQUEST.phrase, VARIABLES.algorithm, VARIABLES.encoding)>

<cfif NOT CompareNoCase(variables.dec, url.lid)>
  nothing changed
<cfelse>
  someone has been naughty!
</cfif>

Hope this helps!

Tony
 
Hey Tony, I see that your comparing VARIABLES.dec to URL.LID, but where/how does the hidden field (lid_enc) come into play?

____________________________________
Just Imagine.
 
yeah sorry, my bad, should really look over things/test things first! the test should be:

Code:
<cfset dec = Decrypt('#URL.LID#', REQUEST.phrase, VARIABLES.algorithm, VARIABLES.encoding)>

<cfif NOT CompareNoCase(variables.dec, form.lid_end)>
  nothing changed, use the url.lid vbl
<cfelse>
  someone has been naughty!
</cfif>

hope this helps!

Tony
 
Tony, unfortunately this doesn't work.

When someone changes the URL.LID value, CF throws an error because variables.dec can't decrypt the value that was passed. The error I get is There has been an error while trying to encrypt or decrypt your input string: Given final block not properly padded.



____________________________________
Just Imagine.
 
Ok, try the exact same login with the other variable. Instead of DECRYPTING the Url variable, ENCRYPT the form one and compare them. The encrypted variables should match just like the decrypted ones.



Hope This Helps!

ECAR
ECAR Technologies

"My work is a game, a very serious game." - M.C. Escher
 
Status
Not open for further replies.

Similar threads

Part and Inventory Search

Sponsor

Back
Top