URI encryption

[santanudas]

Hi all,

How to encrypt the URI string (or maybe put some extra garbage in it) so that it’s not easily understandable when passing through a Perl/CGI?
Say like, if I want to pass an URI like this:

<a herf=”/cgi-bin/xyz/xyz.cgi?MODE=ABC&DIR=$blah&FILE=$blah.txt”>

and on the next page this is exactly what we gonna see in the address bar. How to make it a bit more meaning less to the viewers? Any idea?

Thank you once again, Cheers!!!

 

[Kirsle]

If you want a quick solution that'll make it look entirely meaningless, try Base64.

use MIME::Base64 qw(encode_base64 decode_base64);

my $query = "MODE=ABC&DIR=$blah&FILE=$blah.txt";
my $enc = encode_base64 ($query);

print "<a herf=\"/cgi-bin/xyz/xyz.cgi?$query\">";

And then on the next page

use MIME::Base64 qw(encode_base64 decode_base64);

my $query = $ENV{QUERY_STRING};
my $dec = decode_base64 ($query);

# $dec = "MODE=ABC&DIR=$blah&FILE=$blah.txt"

Doing it this way though would make the CGI.pm module not work. If you were relying on CGI.pm, search CPAN for some better alternatives.

Namely, something that could convert every single character into its hexadecimal counterpart, so that you'd have a lot of "#0x00EEFF;" kinds of things to represent each individual character.

Or, you can just have your query string POSTed to the next page instead of GETed, so that the query string isn't visible in the address bar of the web page.

-------------
Kirsle.net | Kirsle's Programs and Projects

 

[santanudas]

Hi Kirsle ,

Many thanks for the code (and idea). It actually did solve the purpose, but not really in very straightforward way.
Lets take the pervious example, say, I'd like to pass this URI, say for example from abc.pl to def.pl

<a herf=”/cgi-bin/xyz/xyz.cgi?MODE=ABC&DIR=$d_blah&FILE=$f_blah”>

I like to do this so that the value of DIR and FILE can be used in def.pl later on. And to do that I put these in my xyz.cgi

$mode = $FORM{MODE};
$x_dir = $FORM{DIR};
$x_file = $FORM{FILE};

Now in def.pl if I need to specify something like this:

<img src="/$web_path/$x_dir/80x50/$x_files”>

I can’t do that using

my $query = "MODE=ABC&DIR=$d_blah&FILE=$f_blah";
my $enc = encode_base64 ($query);

in the abc.pl, or can I?
So, I encrypted $d_blah & $f_blah individually in the abc.pl and decrypted back in the def.pl to make the <img src=”....> string meaning full to the browser. It actually doesn’t make it totally meaningless either. Is there any other work around?

I see another problem with this type of encryption. Say, if I want to pass this URI

<a href="/$web_path/$dir/files/$file[$i]">

where, the next page is the browser itself, then definitely I can encrypt the entire string but how can the browser decrypt it back to bring the file up? I can't figure out.
Dose it sound like a stupid question?

 

[Kirsle]

Judging by how you have %FORM, I'm assuming you're parsing the query string yourself?

So, say when the entire query is encrypted, it links to

/cgi-bin/xyz/xyz.cgi?dd87fsr8ewrsffw8r6w8f==

The CGI script xyz.cgi just needs to decode the query and then parse it like normal:

my $query = decode_base64 ( $ENV{QUERY_STRING} );
my @pairs = split(/\&/, $query);
foreach my $pair (@pairs) {
   my ($var,$value) = split(/=/, $pair, 2);
   $value = uri_unescape ($value);
   $FORM{$var} = $value;
}

$mode = $FORM{MODE};
$x_dir = $FORM{DIR};
$x_file = $FORM{FILE};

If on the other hand you completely encode each individual character into its hex counterpart, the browser (or server) decodes it automatically. For instance, URI encoding turns spaces into "%20" and exclamation points into "%21" (as well as several other characters), but the server still manages to decode it on the other end and gets the original data from it.

-------------
Kirsle.net | Kirsle's Programs and Projects

 

[KevinADC]

why do you want to encode a query string anyway? The data being visible should not matter unless your script is unsecure to begin with. In which case obfuscating the query string is of little practical value.

- Kevin, perl coder unexceptional!