Reputation: 6019
Encrypt IDs in URL variables
I am developing an HTTP server application (in PHP, it so happens). I am concerned about table IDs appearing in URLs. Is it possible to encrypt URL variables and values to protect my application?
Upvotes: 1
Views: 8063
Answers (4)
Reputation: 522042
oh ok, so for sensitive information best to use sessions then, are table Ids etc safe to throw in the GET var?
Yes, sensitive information must not leave your server in the first place. Use sessions.
As for "are table ids safe in the URL": I don't know, is there anything bad a user could do knowing a table id? If so, you need to fix that. Usually you need to pass some kind of id around though, whether that's the "native table id" or some other random id you dream up usually doesn't matter. There's nothing inherently insecure about showing the id of a record in the URL, that by itself means absolutely nothing. It's how your app uses this id that may or may not open up security holes.
Additionally think about whether a user can easily guess other ids he's not supposed to know and whether that means anything bad for your security.
Security isn't a one-off thing, you need to think about it in every single line of code you write.
Upvotes: 2
Reputation: 253318
Your GET variables are called whatever you choose to call them, and assigned whatever values you choose to give them. So, yes: they can certainly be encrypted or, if you'd rather, simply obscured. If you're planning to encrypt variables, then PHP has quite a few options available.
For the above, I'd recommend using something like urlencode.
In general I'd suggest using POST instead of GET, assuming you're getting your variables from a form element. On the other hand it might be even wiser to use session variables.
Upvotes: 0
Reputation: 321
You can encrypt what you pass before you transmit, or you can run the entire communication over an encrypted channel (https or ssh for instance).
Upvotes: 0
Reputation: 490213
Sounds like you want to pass sensitive information as a GET param.
Don't do that - use $_SESSION if you can.
However, if you want your params encoded (i.e. => +) use urlencode().
$a = 'how are you?';
echo urlencode($a); // how+are+you%3F
Upvotes: 0
Related Questions
- How can I encrypt all ids in url in Laravel 5.2
- Encrypting data in url
- Encrypted ID in URLs
- How to secure the id that are passed in a URL?
- Encrypt parameter in url
- what is a good way to encrypt a id in a url?
- Encrypting an id in an URL in ASP.NET MVC
- Encrypted text to passed as id in the url in asp.net mvc
- URL parameters value encryption/decryption
- Encrypt/Encoding an ID in URL string