Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP General (http://www.velocityreviews.com/forums/f65-asp-general.html)
-   -   Encrypit the query string value in location bar /Status bar idsplay (http://www.velocityreviews.com/forums/t788547-encrypit-the-query-string-value-in-location-bar-status-bar-idsplay.html)

Jawahar Rajan 07-15-2003 08:35 AM

Encrypit the query string value in location bar /Status bar idsplay
 
All,
1) When using the QueryString of the request object the actual values are
exposed to the viewer of the site and often user pickup on these values and
start changing them . This can lead user to see data that they are not
supposed to or even data that may be erroneous.
Is there an easy way to encrypt the querystring values that get displayed on
the location bar / other than not using querystring.

2) Can I use java script to disable the status bar, at the bottom of the
page to not expose the URL's of various links on a page? (I know this is
probably a JavaScript question.)

Any help or suggestions are always welcome.

Jawahar




Evertjan. 07-15-2003 09:31 AM

Re: Encrypit the query string value in location bar /Status bar idsplay
 
Hi, Jawahar,

Jawahar Rajan wrote on 15 jul 2003 in
microsoft.public.inetserver.asp.general:
> 1) When using the QueryString of the request object the actual values
> are exposed to the viewer of the site and often user pickup on these
> values and start changing them . This can lead user to see data that
> they are not supposed to or even data that may be erroneous.
> Is there an easy way to encrypt the querystring values that get
> displayed on the location bar / other than not using querystring.


use form/post, and catch that with

<% r=request.form("myInputValue") %>

> 2) Can I use java script to disable the status bar, at the bottom
> of the page to not expose the URL's of various links on a page?


No, this is only settable by the user, as it should be.
It is not the right of the web programmer to interfere withe the rights
of the user.

> (I know this is probably a JavaScript question.)


It does not matter if it is a js or vbs question, as ASP can support
both.

It is a clientside, and not a serverside question.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Evertjan. 07-15-2003 11:26 AM

Re: Encrypit the query string value in location bar /Status bar idsplay
 
VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
>> use form/post, and catch that with
>>
>> <% r=request.form("myInputValue") %>
>>

> So would that make the whole process secure ??


Not at all. Who was talking about secure?
Why would you want to make things secure from the user.

I just answered the question how not to see the querystring in the
adressbar.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Evertjan. 07-15-2003 11:50 AM

Re: Encrypit the query string value in location bar /Status bar idsplay
 
VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:

> Evertjan. wrote:
>> VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
>>>> use form/post, and catch that with
>>>>
>>>> <% r=request.form("myInputValue") %>
>>>>
>>> So would that make the whole process secure ??

>>
>> Not at all. Who was talking about secure?
>> Why would you want to make things secure from the user.
>>
>> I just answered the question how not to see the querystring in the
>> adressbar.

>
> The OP question was
> "Is there an easy way to encrypt the querystring values that get
> displayed on
> the location bar / other than not using querystring."
> And You suggested using "request.form" and so i had to question how
> it was secure.


Sure, but how would you encrypt something by not using it?

I tried to explain this was not possible, implicitly thinking that we
were talking <a href="/file.asp?qwert=7">, but security did not come
into it.

btw:

Perhaps the answer should have been:

1
"By submitting a form method=query the querystring is not seen on the
status bar."

or

2
"By using <span onclick="/file.asp?qwerty=7"> the querystring is not seen
on the status bar."

or

3
"the value on the querystring can easily be encrypted and serverside
decripted with rot13"

VBS Rot13 function:

Function ROT13(szInput)
coding = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLM"
coding = coding & lcase(coding)

For i = 1 To Len(szInput)
character = Mid(szInput, i, 1)
position = InStr(coding, character)
If position > 0 Then character = Mid(coding, position + 13, 1)
txt = txt & character
Next
ROT13 = txt
End Function




--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

VK 07-15-2003 02:18 PM

Re: Encrypit the query string value in location bar /Status bar idsplay
 
Evertjan. wrote:
> VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
>
>> Evertjan. wrote:
>>> VK wrote on 15 jul 2003 in microsoft.public.inetserver.asp.general:
>>>>> use form/post, and catch that with
>>>>>
>>>>> <% r=request.form("myInputValue") %>
>>>>>
>>>> So would that make the whole process secure ??
>>>
>>> Not at all. Who was talking about secure?
>>> Why would you want to make things secure from the user.
>>>
>>> I just answered the question how not to see the querystring in the
>>> adressbar.

>>
>> The OP question was
>> "Is there an easy way to encrypt the querystring values that get
>> displayed on
>> the location bar / other than not using querystring."
>> And You suggested using "request.form" and so i had to question how
>> it was secure.

>
> Sure, but how would you encrypt something by not using it?
>
> I tried to explain this was not possible, implicitly thinking that we
> were talking <a href="/file.asp?qwert=7">, but security did not come
> into it.
>
> btw:
>
> Perhaps the answer should have been:
>
> 1
> "By submitting a form method=query the querystring is not seen on the
> status bar."
>
> or
>
> 2
> "By using <span onclick="/file.asp?qwerty=7"> the querystring is not
> seen on the status bar."
>
> or
>
> 3
> "the value on the querystring can easily be encrypted and serverside
> decripted with rot13"
>
> VBS Rot13 function:
>
> Function ROT13(szInput)
> coding = "ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLM"
> coding = coding & lcase(coding)
>
> For i = 1 To Len(szInput)
> character = Mid(szInput, i, 1)
> position = InStr(coding, character)
> If position > 0 Then character = Mid(coding, position + 13, 1)
> txt = txt & character
> Next
> ROT13 = txt
> End Function


I disagree with all the three answers. Imagine yourself in the OP's
position. He obviously knows Request variables can be tampered to look at
data which isnt supposed to be displayed. Somone has suggested encrypting
the querystring ( which is one of the best ways of securing the data). You
are advising him to use a publicly available algorithm which can be hacked
by any kid. Also your advice of using request.form is misleading him into
thinking its secure. It might hide the variable from displaying on the URL
bar but ITS NOT SECURE and so should not be used as an alternative.



MN 07-17-2003 02:02 PM

Re: Encrypit the query string value in location bar /Status bar idsplay
 
"Jawahar Rajan" <jrajan@nc.rr.com> wrote in message news:<o1PQa.233573$nr.9503420@twister.southeast.rr .com>...
> All,
> 1) When using the QueryString of the request object the actual values are
> exposed to the viewer of the site and often user pickup on these values and
> start changing them . This can lead user to see data that they are not
> supposed to or even data that may be erroneous.
> Is there an easy way to encrypt the querystring values that get displayed on
> the location bar / other than not using querystring.


I try not to pass any variables through the querystring where possible
because people will mess with them. When I must I also pass a
checksum, this way I can tell if anyone has been tampering.

I use this code
http://www.planet-source-code.com/vb...txtCodeId=7219
so when I create the QS in ASP It goes...
<a href="something.asp?somekey=<%=myKey%>&somekeyCRC= <%=CalculateCRC(myKey)%>">

When I get to the target page I check the value against the CRC like
so
if (CalculateCRC(request.querystring("somekey")) <>
request.querystring("somekeyCRC")) then
response.redirect("naughtynaughty.asp")
end if

> 2) Can I use java script to disable the status bar, at the bottom of the
> page to not expose the URL's of various links on a page? (I know this is
> probably a JavaScript question.)


Yes you can. Add this code into your <a> tag
onMouseOver="(window.status='whatever you like');return true;"
onMouseOut="(window.status='');return true;"

> Any help or suggestions are always welcome.


Never eat yellow snow!


All times are GMT. The time now is 11:37 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.