URL Sensitve DATA $_GET

Re: URL Sensitve DATA $_GET

On Fri, 01 Jul 2005 15:13:34 +0000, Angelos wrote:
[color=blue]
> How can I get some data which until now are displayed in the URL and I
> retrive them via $_GET
> and I don't want them to be accessible from the User ?[/color]

The fact of the matter is that it is ultimately impossible to completely
hide things from the user when it comes to HTTP transactions.

It *is* possible to highly obfuscate things. But truly hide is not
acheivable, given a very saavy and motivated user.

No solution given here, just pointing out that there is no truly secure
and reliable solution. There are some Javascript-related obfuscation
techniques. You can put stuff in a method POST form and stuff won't be
submitted via the URL (this will only work to hide data from total newbs
(the "Aunt Bettys" of the world)). You could encode the URL and decode it
on the server. stuff like that.

One possibility that might work but will be a lot of hassle is encoding
data using keys on the server. Look at PHP's mcrypt() set of functions
and use them to encrypt/decrypt the string you want to hide (inside the
rawurlencode() function in your example).

Not sure it will work, though...

--
JDS | jeffrey@example .invalid
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

Re: URL Sensitve DATA $_GET

You can pass an encrypted path...
Regardless you should validate that the passed path falls in the
"browsable" root dir
doing that, it shouldn't really matter if the user sees it or not.
If the dir isn't supposed to be seen, don't show it!

Re: URL Sensitve DATA $_GET

> Regardless you should validate that the passed path falls in the[color=blue]
> "browsable" root dir
> doing that, it shouldn't really matter if the user sees it or not.
> If the dir isn't supposed to be seen, don't show it![/color]

I think that is the most obvious way doing it I just didn't really figure
out how to do it yet ....

Re: URL Sensitve DATA $_GET

*** Angelos wrote/escribió (Fri, 1 Jul 2005 15:13:34 +0000 (UTC)):[color=blue]
> https://www.mysite.com/BusinessThing...es&action=list
> &path=/home/sites/site42/web/User_Files/images[/color]

If you script is going to deliver any file in the disk that's requested by
user, no matter where it is, I don't think any obfuscation technique you
use will be secure enough.

If your script will only deliver files in directories inside
/home/sites/site42/web/User_Files/ then you don't need to show such sentive
info to the user. You could simply pass a unique ID to tell the script it
should fetch the file from the images subdirectory. Script should already
know what its parent dir is so it doesn't need to be told about it:



There's nothing in such URL you should care about. If you still want to
hide it from user, just base64_encode() it (for instance).

--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--