开发者

Encoding URL $_GET variables

问答 作者:

I am passing $_GET[]; variables in a link but want to encrypt the values in the url. I would normally use sessions but since I am not using a form and just a url what are my options. I am sure there is someway to exploit this method so I am trying to make it as secure as possible.

Below is my code:

$cost = "152.00";
<a href="registration.php?class=Spanish&age=4-6&time=3pm&cost=<?echo $cost; ?>">

and registration.php looks like

<?
$class = $_GET[class];
$age = $_GET[age];
$time = $_GET[time];
$cost = $_GET[cost];
?>

If I could use something like md5 to encode the values and then decode them on registration.php that would be good or if 开发者_如何转开发there is a way to pass $_session variables using <a> that would be good.

Is the page you're linking to on the same site as the site you're making the link from?

If so, why not stick them in $_SESSION? This way, they're stored on the server, where the user can never think of manipulating them.

Another option is not actually encrypting the data, but signing it using an HMAC. If you're using a modern version of PHP, you can use hash_hmac. On the link creation side:

$validate = serialize(array( $class, $age, $time, $cost ));
$hmac = hash_hmac('sha1', $validate, 'secret key goes here');
$link = 'foo.php?...&validate=' . $hmac;

... and on the other side:

$validate = serialize(array( $_GET['class'], $_GET['age'], $_GET['time'], $_GET['cost'] ));
$hmac = hash_hmac('sha1', $validate, 'secret key goes here');
if($hmac != $_GET['validate']) {
    echo "No hacking!";
    exit;
}

You should actually use this technique for option #3, which is: use POST, i.e. a form. This will deter casual users from changing the data.

Option #4 is the best: storing all that sensitive data server-side to begin with, and referring to it by a unique identifier that the user sees. This keeps the data out of the user's hands to begin with, meaning you never need to worry about the user tampering with it.

You could consider creating a "hash key" that is made up of the variables you don't want manipulated:

(edited below to make a bit clearer)

In first page (e.g. class.php), generate the link as this:

$paramStr = "class=Spanish&age=4-6&time=3pm&cost=$cost";
$globalSecretKey = "Some secret key string that you don't reveal to the user";
$publicKey = md5($globalSecretKey . $paramStr);
$link = "registration.php?$paramStr&hash=$publicKey";

Then on registration.php, you make sure the hash matches the submitted variables:

$submittedParamStr = "class=" . $_GET['class'] . "&age=" . $_GET['age'] . "&time=" . $_GET['time'] . "&cost=" . $_GET['cost'];
$globalSecretKey = "Some secret key string that you don't reveal to the user";
$submittedDataKey = md5($globalSecretKey . $submittedParamStr);

// checking if submitted key matches submittedDataKey
if($_GET['hash'] != $submittedDataKey) die("Problem!");

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9