URL record ID encryption

"hconnorjr" <webforumsuser@macromedia.com> wrote in message
news:euf92o$hl6$1@forums.macromedia.com...
> thanks for the responses. part of the issue is that i do not want the
> viewer to
> have to log in. i want this to be a general, open site, which is why i'm
> thrashing about for solutions. one question about the POST command . . .

Then what's the point? So what if a user changes the record ID? It's not
"hacking" just because they didn't do a search first.

thanks for the responses. part of the issue is that i do not want the viewer to have to log in. i want this to be a general, open site, which is why i'm thrashing about for solutions. one question about the POST command . . .

i have a fairly conventional search arrangement. user uses up to three parameters to select records which are posted to the results list page. but to drill down to the individual record, i use a more_info link after each record summary in the list . . . which passes the record_ID via a URL, which is of course obvious. is there a way to select the individual record from the list using a POST?

also, any other ideas about encoding record_ID?

thanks.

This really depends on how you're deciding who gets to see what. I assume
this means that you've got a logged-in user with an active session. In that
case, the best thing you can do is to not assume that a record may be
retrieved just because it's requested. Whatever you do to filter the list
of available choices, perform the SAME check when retrieving the record. If
the check fails, shoot a little e-mail to yourself along with the logged-in
user's account ID so you know who's trying to do a little unauthorized
snooping.



"hconnorjr" <webforumsuser@macromedia.com> wrote in message
news:euc7i5$hv4$1@forums.macromedia.com...
> To protect my database from hacking I'd like to encrypt the ID information
> displayed in my URL. for example, currently the URL displays
>
> http://www.abc.com/results_details.php?result_ID=2
>
> or something similiar depending on the ID number of the record. But
> wouldn't
> it be more secure to take each of those ID numbers and run them through an
> encrption scheme (md5, salt) and store them with the record? Then, when I
> pull
> the records for a recordlist I can pull the encrypted identifier. The MORE
> INFO
> link will go the same record as before, but the URL will show . . . .
> .php?359tifna[0sfh[w0frhas0fj (or whatever the hash has generated)
>
> can anyone give me tips on the easiest way to do this?
>
> thanks in advance for all help.
>
> mike
>

well, at least the parameters transferred by POST get sent to the body of the following page instead of being disclosed in the URL, and this alone makes it notably more secure than using the GET method.

thanks for the reply. i thought about this, but my understanding is that using POST is fairly weak protection. Also, for some reason I've had trouble passing parameters using POST.

mike

hconnorjr wrote:

> To protect my database from hacking I'd like to encrypt the ID information
> displayed in my URL. for example, currently the URL displays
>
> http://www.abc.com/results_details.php?result_ID=2

Why not use "post" method of the form?
Mick

>
> or something similiar depending on the ID number of the record. But wouldn't
> it be more secure to take each of those ID numbers and run them through an
> encrption scheme (md5, salt) and store them with the record? Then, when I pull
> the records for a recordlist I can pull the encrypted identifier. The MORE INFO
> link will go the same record as before, but the URL will show . . . .
> .php?359tifna[0sfh[w0frhas0fj (or whatever the hash has generated)
>
> can anyone give me tips on the easiest way to do this?
>
> thanks in advance for all help.
>
> mike
>