Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Query string encryption

Reply
Thread Tools

Query string encryption

 
 
the other john
Guest
Posts: n/a
 
      02-17-2006
I've been looking for a solution for this and have seen some approaches
but none that seem appropriate for what I'm trying to do. This is what
I need...

I'm trying to encrypt query strings.
For Example...
I want this...
http://whatever.com/?clientID=5
to be something like this...
http://whatever.com/?[encrypted string]

I've seen the 4guysrfromrolla's version. Its fine "but" I don't know
if it would be practical in this case. I would need to encrypt many
urls on a single page and every link on a displayed page would be
pulled from a database. the "rolla" version I came across requires
that a text file be created and key written for each encoded string
everytime the page is called. This doesn't seem that practical to me
because I would be writing files and keys dozens of times everytime the
page is called.

I've also seen aspEncrypt but they want 250 bucks and I was hoping to
avoid this. I also see that .Net has a method for this but I'm only
working with classic at this point.

Is there another method out there?

Thanks!

 
Reply With Quote
 
 
 
 
Dave Anderson
Guest
Posts: n/a
 
      02-17-2006
the other john wrote:
> I've been looking for a solution for this and have seen
> some approaches but none that seem appropriate for what
> I'm trying to do.
> This is what I need...
>
> I'm trying to encrypt query strings.


Why bother?



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.


 
Reply With Quote
 
 
 
 
the other john
Guest
Posts: n/a
 
      02-17-2006
Ok, why reply if you don't have anything to add? Not trying to be rude
but this doesn't help much.

 
Reply With Quote
 
Dave Anderson
Guest
Posts: n/a
 
      02-17-2006
the other john wrote:
> Ok, why reply if you don't have anything to add? Not
> trying to be rude but this doesn't help much.


I have plenty to add. But there are few contexts in which it makes sense to
"encrypt" the querystring. Thus the question.

If you explain what your objective is, perhaps someone can suggest an
alternative approach to achieving it.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.


 
Reply With Quote
 
the other john
Guest
Posts: n/a
 
      02-17-2006
This application is a content manager for web development. It manages
clients, developers, and administrators. Each have their own level of
access. The problem comes in when querying the database. A developer
or client could change the ID's in the querystrings to view projects
not assigned to them. I've always used querystrings to pass the unique
values to retrieve the appropriate data. I want to encrypt the query
strings to avoid this problem.

 
Reply With Quote
 
Dave Anderson
Guest
Posts: n/a
 
      02-17-2006
the other john wrote:
> This application is a content manager for web development. It manages
> clients, developers, and administrators. Each have their own level of
> access. The problem comes in when querying the database. A developer
> or client could change the ID's in the querystrings to view projects
> not assigned to them. I've always used querystrings to pass the
> unique values to retrieve the appropriate data. I want to encrypt
> the query strings to avoid this problem.


OK. I think I understand. You want to obfuscate the record keys in lieu of
authentication and privilege checking. This is possible, but it is important
that you realize that obfuscation is not security.

If you are identifying each user, you might want to actually design your
application so it verifies user privileges with every round-trip. I do this
with MOST applications.

But I realize this is not always possible. Some of our apps allow anonymous
submissions (and tracking by the originator). For these, we need what you
are seeking -- obfuscated keys. And for many of these, we use GUIDs.

Now, you don't mention your database variety, but if it's SQL Server, you
might want to give consideration to GUIDs (SQL Server type:
UNIQUEIDENTIFIER). I find it straightforward to add them to existing tables,
and they are fairly tough to guess outright.

Say, for example, your project table has an identity column [ID], upon which
you JOIN other tables:

SELECT P.*, H.*
FROM Project P
JOIN History H ON (H.ProjectID = P.ID)
WHERE P.ID = 12345

Adding a GUID would barely change this query:

SELECT P.*, H.*
FROM Project P
JOIN History H ON (H.ProjectID = P.ID)
WHERE P.GUID = 'A4C187AD-92AC-478F-9AED-9B74AEB5CB60'

Notice that the GUID need only be part of the root (project) node. ID
becomes a "private property" of the project -- no user ever needs to know
it, but as an INT, it is far better suited for being part of a primary key
than a GUID is. More importantly, your existing relationships are not
changed by adding the GUID.

If this approach interests you, I can expand a little on the topic.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.


 
Reply With Quote
 
the other john
Guest
Posts: n/a
 
      02-18-2006
This is much more helpful, thank you. Unfortunately, this is for
Access. I worked with SQL Server before but I don't know what a GUID
is (although I am interested for future reference). I had thought of
figuring out a way to verify the user each time but this project is
falling behind and it's complexity growing and the query string
encryption was supposed to lighten this load, ugh.

Is there a way to do this with access in a similar way?

Thanks again.

 
Reply With Quote
 
the other john
Guest
Posts: n/a
 
      02-20-2006
I should have asked earlier...what other way would you suggest other
than using querystring encryption? Form collecton doesn't seem
practical and I wouldn't know how to implement it in this case either.

Thanks again.

 
Reply With Quote
 
Dave Anderson
Guest
Posts: n/a
 
      02-20-2006
the other john wrote:
> I should have asked earlier...what other way would you suggest
> other than using querystring encryption? Form collecton doesn't
> seem practical and I wouldn't know how to implement it in this
> case either.


Please note that "querystring encryption" is a false term. If the
"encryption" has to be done on the client, then it's not encryption (unless
you want to write your own key exchange implementation). You are looking for
obfuscation.

I suggested GUIDs because they are easy to implement and tough to guess.
They may still be an option for you:
http://www.aspfaq.com/show.asp?id=2108

Presumably you could then store them as text.

Another option is to generate "random" keys when you create the records.
These can be numeric or alphabetic, but I suggest you avoid integers. I say
"random" with quotes because (1) truly random generators are only
theoretically possible, and more imprtantly, (2) you will have to test for
uniqueness, which automatically voids the randomness of the generator.

I'm sure there are other techniques, but you seem to be looking for a quick
fix.



--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.


 
Reply With Quote
 
Patrice
Guest
Posts: n/a
 
      02-20-2006
Another approach would be to let the user change the value but implement
access checking when reading the record. If he is not allowed he shouldn't
be able to access this record.

With the encryption approach, one could send a shortcut to someone else and
this other person could be able to gain access to the protected record. IMO
it's best to implement first security at the recored read level....

--
Patrice

"the other john" <(E-Mail Removed)> a écrit dans le message de
news:(E-Mail Removed) oups.com...
> This application is a content manager for web development. It manages
> clients, developers, and administrators. Each have their own level of
> access. The problem comes in when querying the database. A developer
> or client could change the ID's in the querystrings to view projects
> not assigned to them. I've always used querystrings to pass the unique
> values to retrieve the appropriate data. I want to encrypt the query
> strings to avoid this problem.
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to convert url with query string to url without query string nick Javascript 1 02-13-2011 11:20 PM
Which hard drive encryption program has the strongest tested encryption & security? =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D=5B:::::::::::::::=BB?= Computer Security 6 02-20-2008 01:35 PM
Encryption Tool Query - Same Input, Different Outputs Lucanos Computer Security 2 08-10-2007 12:57 PM
CGI - How to use upload_hook and query the query string ? roadrunner Perl Misc 1 02-08-2006 01:50 AM
Encryption of the query string in the URL Ritesh ASP .Net Security 2 02-05-2004 02:40 PM



Advertisments