1

I am working on a web application in which i want to make some security constraints and want to know the alternative way to send the data or id from URL in a secure way.for example:

$id=$row=['id'];
$name=$row['name'];

<a href="projects.php?project_id=<?pho echo $id; ?>&name=<?php echo $name; ?>">

so is there any alternate way to send this two attributes in a secure way to the project.php ? I just only want that the id & name should not be visible on url. Please guide me ,i know this is very basic feature of PHP and i just want to find the alternate or secure solution. i know i am sending the data using get but is there any alternate way to send data to project.php without using tag?

I tried this after all comments & answer ,so the answer is :

<?php
$id="1";
$name="Harshal";
?>
<a href="projects.php?id=<?php echo base64_encode($id) ?>&name=<?php echo base64_encode($name) ?>">Send</a>

and on projects.php

<?php
echo $idd=base64_decode($_GET['id']);
echo $namme=base64_decode($_GET['name']);
?>

It works...!!

Harshal
  • 3,562
  • 9
  • 36
  • 65
  • you are using GET method at the moment, but you could switch to a form and use POST. it will at least not be visible in the url. but it won't be entirely secure..... how secure does it need to be? –  Sep 06 '12 at 08:19
  • You should look into using a form with the method `POST`. – h2ooooooo Sep 06 '12 at 08:20
  • @above 2, i know i am sending the data using get but is there any alternate way to send data to project.php without using tag? – Harshal Sep 06 '12 at 08:21
  • You could look into AJAX in javascript. This would send it asynchronous, so the page wouldn't reload, but is probably not what you want. – h2ooooooo Sep 06 '12 at 08:22
  • You can encrypt data using some encrypt/decrypt, i.e see http://stackoverflow.com/questions/1289061/best-way-to-use-php-to-encrypt-and-decrypt – jasir Sep 06 '12 at 08:23
  • I should add that a *secure solution* would never work with this. The user can always manipulate data no matter how you receive it (encrypted/decrypted/POST/GET/AJAX/etc.). – h2ooooooo Sep 06 '12 at 08:24
  • As already been said better POST your form to the server and consider protect the form from [CSRF attacks](http://codeutopia.net/blog/2008/10/16/how-to-csrf-protect-all-your-forms/) – pankar Sep 06 '12 at 08:25
  • Damn for some reason I can't post an answer, see http://jsfiddle.net/WsLXD/5/ – Pez Cuckow Sep 06 '12 at 08:28
  • Try this solution from [PHP Manual](http://www.php.net/manual/en/function.base64-encode.php#82200) – Greg Motyl Sep 06 '12 at 08:30
  • plz see my updated question ,am i doing ri8? – Harshal Sep 06 '12 at 08:42

5 Answers5

2

Using post variables. If you're trying to send this from HTML, your only recourse is changing this:

<a href="projects.php?project_id=<?php echo $id; ?>&name=<?php echo $name; ?>">

To this:

<form action="projects.php" method="post"><input type="hidden" name="project_id" value="<?= $id ?>"/><input type="hidden" name="name" value="<?= $name ?>"/><input type="submit" value="Send name"/></form>

If you want to make the connection actually secure, your best option is using HTTPS.

Anirudh Ramanathan
  • 46,179
  • 22
  • 132
  • 191
Sommer
  • 61
  • 3
  • suppose there is a link than how can i send data to the file on which the link is redirecting?? – Harshal Sep 06 '12 at 08:26
2

On the encryption note, keep in mind that hashes are one-way. You cannot "encrypt" a name using a hash algorithm and have it readable at the end of the line. However, if you want to work with encrypted data transmitted over HTTP this way, you can use for example mcrypt. Then faced with the problem of outputting the resulting binary data in a browser-safe way, you should rely on Base64 encoding.

For example:

$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, 'passkeyhere', 'My name', MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND));
echo base64_encode($crypttext);

Outputs:

rLXuVMlI9DWgF96peQ5IREexDk4XBwCn+34SEuy5eH4=
Sommer
  • 61
  • 3
1

Anything sent in a URL is by default pretty much there for anyone and everyone to see, use and abuse.

Having said that, sometimes you simply have to send it that way. You can't make the data in the URL secure, by you can make your code treat it in a secure manner.

For example, if you pass data via the URL and simply display data, anyone can change the URL bits and see information that they aren't supposed to. If you however send data via the URL and your code then performs a check to see if the user is able to see it, that suddenly becomes much more secure.

Another quick method is to provide a link that copies the data into a session and redirects the user to a fresh page - showing them the content they wanted based on the information in their session - and again verifying that they are indeed allowed to see it.

Keep in mind that URLS can be edited by anyone in the space of seconds. Post data really isn't too much different - though it might take a little more effort to fudge. To secure it, you need to make sure that the code you have is able to treat it in a secure manner.

Edit:

You should change your code to this:

<?php
$id="1";
$name="Harshal";
?>
<a href="projects.php?id=<?php echo base64_encode($id); ?>&name=<?php echo base64_encode($name); ?>">Send</a>
Fluffeh
  • 33,228
  • 16
  • 67
  • 80
1

First of all - to make is harder for ordinary people to fake user IDs and such in the URL, either use POST method or use bCrypt to pass hashes along in the URL.

Second of all, you are best to use SSL - https:// in your URLs to prevent ears-dropping.

Community
  • 1
  • 1
Zathrus Writer
  • 4,311
  • 5
  • 27
  • 50
0

Methods of passing data between web pages (including PHP) is through GET and POST. POST hides it but doesn't remove it from being viewed, it is still plain text in the request. If you force an https connection and use POST then the information is hidden in the post request and encrypted and decrypted for you using secret keys.

If you just want it done behind the scenes you can use ajax to send and recieve data without submitting a page.

ajon
  • 7,868
  • 11
  • 48
  • 86