encrypting a query string value?

Forum Moderators: phranque

Message Too Old, No Replies

encrypting a query string value?

I want to obscure a variable

ShaunG

11:18 pm on Apr 8, 2009 (gmt 0)

I have a link on my page (http://www.example.com/?ag=3443&id=keyword) where the id= is a dynamic variable. When someone clicks that link they can now see the id variable in the browser. Is there a way I can encrypt just that variable after it is clicked so it wont show up in the browser?

jdMorgan

11:25 pm on Apr 8, 2009 (gmt 0)

You can encrypt it, but it *will* show in the browser -- it'll be encrypted, but it will show.

This is a security issue, in that the browser is owned by your visitor, and that visitor has a right to see where he/she is going.

If you do decide to encrypt it, be aware that the character-set for URL-paths and query strings is restricted; any characters not allowed will be hex-encoded (a simple example being spaces converted to %20) before transmission. Make sure that the script that you use on your server can handle un-encoding these characters prior to decrypting the value.

See RFC2936 [faqs.org] for details.

Jim

ShaunG

1:21 am on Apr 9, 2009 (gmt 0)

Jim,

It is OK if it shows in the browser after it has been encrypted. I just do not want that variable in id= to be seen by everyone in the browser. Is this done with .htaccess? I saw your link but this is something I am completely unfamiliar with. I do not program either, just know the php/htaccess basics pretty much.

jdMorgan

1:55 am on Apr 9, 2009 (gmt 0)

> Is this done with .htaccess?

No, it is done in the script that generates the page (and therefore, creates the links that appear on that page) -- for example, PHP on the server or JavaScript on the client-side.

.htaccess is invoked when a request for a URL arrives at your server. By this time, the clicked-link URL has already been displayed in the browser, and it's too late for anything on the server side to affect what is displayed.

Jim