Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

URL Encryption and Decryption...

Status
Not open for further replies.
ClarkKent101

ClarkKent101

Programmer
Jul 19, 2006
48
DE
Hi Everyone,

I have a page that sends url parameters to another page that i want encrypted so the user won't change any of the values in the url, i have looked at some examples on the net but none of them really helped me - i just got a fair understanding about how the encrypt and decrypt functions work instead of knowing how to use them properly. Lets say i have the following:

<a href="destination.cfm?ticketID=#rsUserTickets.ticketID#">Click here</a>

How would i use the encrypt() function to encrypt the dynamic data so it displays an encrypted value in the url instead of the actual dynamic value?

Thanks for the help,

- CK
 
Sort by date Sort by votes
Something like the following should work.

Code: 
<a href="destination.cfm?ticketID=#Encrypt(rsUserTickets.ticketID, "mystring")#
">Click here</a>

On the processing page, you would use the following:

Code: 
#Decrypt(decrypted, "mystring")#

mystring is the phrase you want to be used for the encryption, so you can change that to anything, as long as it is the same on both code sections.

Note, I haven't tested this, so it may need some tweaking.

Hope this helps

Wullie

Fresh Look - Quality Coldfusion 7/Windows Hosting
YetiHost - Coming Soon

The pessimist complains about the wind. The optimist expects it to change. The leader adjusts the sails. - John Maxwell
 
Upvote 0 Downvote
Almost. [thumbsup2]
Code: 
#Decrypt([red]url.ticketID[/red], "mystring")#
You may also want to look into using UrlEncodedFormat/UrlDecode to make it more Url friendly.

Hope This Helps!

ECAR
ECAR Technologies

"My work is a game, a very serious game." - M.C. Escher
 
Upvote 0 Downvote
Ah this is interesting, i didnt realize it could be encrypted like this.

Is there any form of clever universal script that can Encrypt all URL parameters on the site? that runs in the Application.cfm file or somthing?

Rob
 
Upvote 0 Downvote
Another quick Best Practices question on this.

Would I be better to decrupt the url in the script that passes the values to my CFC or in the CFC itself?

My guess would be that i should do it in my CFC.

Rob
 
Upvote 0 Downvote
As another point, after a little shopping around it would seem that you need to format the string for URL aswell as encrypting it, otherwise it can apparantly cause problems.

#URLEncodedFormat(Encrypt(qGetMembersUnits.group_id,"#application.UrlKey#"))#

So for instants, this fromats my encrypted information using a key which i store in my application.cfm file.

Also keep in mind there are a stack of other security measures you should be using when passing URL parameters.

When i pass a URL variable i also pass a second referance field in the session scope to use for varification.

So say i have a bunch of messages i want to view, in the URL i pass the messageID to collect the full details of the message, but i also use sessions details to grab the current User ID to make sure they own that message.

Next off you need to look at using <cfqueryparam> to make sure that the URL that has been passed isn't a little dodgy.

Follow that up with this encryption and you should be pretty safe, but I've read that CF Encryption is pretty simple to break so make sure you implement these other security measures aswell.

Rob
 
Upvote 0 Downvote
TamedTech said:
...but I've read that CF Encryption is pretty simple to break...
Click to expand...
I think you may be confusing CF's encryption function with it's page/code encryption capability. These are two totally unrelated features of CF. Could you provide links to any articles you may have read?
TamedTech said:
...after a little shopping around it would seem that you need to format the string for URL aswell as encrypting it...
Click to expand...
That's why I suggested it in my first post. Also, it's going to get a little tricky when you start passing integers. I'm not sure why, but sometimes if you try to UrlDecoded/UnEncrypt a UrlEncoded/Encrypted integer, it will break. But, if you just UnEncrypt a UrlEncoded/Encrypted integer, it will work. And I think it's going to depend on what version of cf you're using too.




Hope This Helps!

ECAR
ECAR Technologies

"My work is a game, a very serious game." - M.C. Escher
 
Upvote 0 Downvote
Thanks to all for your great responses :). I appreciate all your input. What i have right now is working great, i took what Wullie said as well as the correction from ECAR and implemented it - upon doing that i went further by adding the URLEncodedFormat function as well - that's working great too. Here is my code now:

Code: 
<cfset key = "mystring">
<a href='destination.cfm?ticketID=#URLEncodedFormat(Encrypt(rsUserTickets.ticketID, "#key#"))#'>Remove this Ticket </a>

// Processing Page...
Code: 
<cfset key = "mystring">
ticketID = #Decrypt(URL.ticketID, "#key#")#

Thanks for the help guys :),

- CK
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RosieGp
  • Locked
  • Question
How to read string of 0s and 1s 1
Replies
3
Views
377
LyndonOHRC
LyndonOHRC
HansKok
  • Locked
  • Question
Error after only changing text and not codes
Replies
0
Views
307
HansKok
HansKok
MDEJAKE
  • Locked
  • Question
autosuggest (cfc and jquery) help
Replies
0
Views
124
MDEJAKE
MDEJAKE
oshinwa
  • Locked
  • Question
Which Call collector should I use and which one is compatible with my Ericsson BP250?
Replies
0
Views
319
oshinwa
oshinwa
Guthro
  • Locked
  • Question
Save site data DW8 and Win7
Replies
2
Views
99
Guthro
Guthro

Part and Inventory Search

Sponsor

Back
Top