[FX.php List] Obscuring the recid on URL links

Kevin Futter kfutter at sbc.melb.catholic.edu.au
Sun Aug 27 17:50:14 MDT 2006


On 26/8/06 2:40 AM, "Jonathan Schwartz" <jonathan at eschwartz.com> wrote:

> I feel that I should know this by now, but still have a question on
> how to create links that do not reveal recid's in URL links.
> 
> I understand how to use hidden input fields to hide recids on forms.
> No problem there.
> 
> However, on links that use URLs (list.php?recid=12345), what methods
> are used to not review the recid?
> 
> I did try a method where I use 20 character randomly generated ID
> instead of the recid, and it works fine.  The 20 character ID still
> appears in the URTL, but with 20 characters, it represent a security
> risk...I think.
> 
> Am I missing some basic concept or technique in this area?
> 
> Thanks
> 
> Jonathan

One of the main ways this is done is through mod_rewrite on Apache, but it
doesn't really work for search forms (only fixed data retrieval where the
database call URI is made to resemble a static URL).

I guess if you had some sort of fixed and reliable pattern to your recid
parameters, you could encode them in the page and decode them in your
parsing code (eg, increment each character by 1 in the page, and adjust
accordingly when making the db call). But unless you use a reasonably
sophisticated technique (not like my example!), you'll find that people will
still be able to access random records. It's an inherent attribute of the
GET protocol.

-- 
Kevin Futter
Webmaster, St. Bernard's College
http://www.sbc.melb.catholic.edu.au/



------------------------------------------
This e-mail and any attachments may be confidential.  You must not disclose or use the information in this e-mail if you are not the intended recipient.  If you have received this e-mail in error, please notify us immediately and delete the e-mail and all copies.  The College does not guarantee that this e-mail is virus or error free.  The attached files are provided and may only be used on the basis that the user assumes all responsibility for any loss, damage or consequence resulting directly or indirectly from the use of the attached files, whether caused by the negligence of the sender or not.  The content and opinions in this e-mail are not necessarily those of the College.




More information about the FX.php_List mailing list