473,595 Members | 2,474 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Query string encryption

I've been looking for a solution for this and have seen some approaches
but none that seem appropriate for what I'm trying to do. This is what
I need...

I'm trying to encrypt query strings.
For Example...
I want this...
http://whatever.com/?clientID=5
to be something like this...
http://whatever.com/?[encrypted string]

I've seen the 4guysrfromrolla 's version. Its fine "but" I don't know
if it would be practical in this case. I would need to encrypt many
urls on a single page and every link on a displayed page would be
pulled from a database. the "rolla" version I came across requires
that a text file be created and key written for each encoded string
everytime the page is called. This doesn't seem that practical to me
because I would be writing files and keys dozens of times everytime the
page is called.

I've also seen aspEncrypt but they want 250 bucks and I was hoping to
avoid this. I also see that .Net has a method for this but I'm only
working with classic at this point.

Is there another method out there?

Thanks!

Feb 17 '06 #1
11 4782
the other john wrote:
I've been looking for a solution for this and have seen
some approaches but none that seem appropriate for what
I'm trying to do.
This is what I need...

I'm trying to encrypt query strings.


Why bother?

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Feb 17 '06 #2
Ok, why reply if you don't have anything to add? Not trying to be rude
but this doesn't help much.

Feb 17 '06 #3
the other john wrote:
Ok, why reply if you don't have anything to add? Not
trying to be rude but this doesn't help much.


I have plenty to add. But there are few contexts in which it makes sense to
"encrypt" the querystring. Thus the question.

If you explain what your objective is, perhaps someone can suggest an
alternative approach to achieving it.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Feb 17 '06 #4
This application is a content manager for web development. It manages
clients, developers, and administrators. Each have their own level of
access. The problem comes in when querying the database. A developer
or client could change the ID's in the querystrings to view projects
not assigned to them. I've always used querystrings to pass the unique
values to retrieve the appropriate data. I want to encrypt the query
strings to avoid this problem.

Feb 17 '06 #5
the other john wrote:
This application is a content manager for web development. It manages
clients, developers, and administrators. Each have their own level of
access. The problem comes in when querying the database. A developer
or client could change the ID's in the querystrings to view projects
not assigned to them. I've always used querystrings to pass the
unique values to retrieve the appropriate data. I want to encrypt
the query strings to avoid this problem.


OK. I think I understand. You want to obfuscate the record keys in lieu of
authentication and privilege checking. This is possible, but it is important
that you realize that obfuscation is not security.

If you are identifying each user, you might want to actually design your
application so it verifies user privileges with every round-trip. I do this
with MOST applications.

But I realize this is not always possible. Some of our apps allow anonymous
submissions (and tracking by the originator). For these, we need what you
are seeking -- obfuscated keys. And for many of these, we use GUIDs.

Now, you don't mention your database variety, but if it's SQL Server, you
might want to give consideration to GUIDs (SQL Server type:
UNIQUEIDENTIFIE R). I find it straightforward to add them to existing tables,
and they are fairly tough to guess outright.

Say, for example, your project table has an identity column [ID], upon which
you JOIN other tables:

SELECT P.*, H.*
FROM Project P
JOIN History H ON (H.ProjectID = P.ID)
WHERE P.ID = 12345

Adding a GUID would barely change this query:

SELECT P.*, H.*
FROM Project P
JOIN History H ON (H.ProjectID = P.ID)
WHERE P.GUID = 'A4C187AD-92AC-478F-9AED-9B74AEB5CB60'

Notice that the GUID need only be part of the root (project) node. ID
becomes a "private property" of the project -- no user ever needs to know
it, but as an INT, it is far better suited for being part of a primary key
than a GUID is. More importantly, your existing relationships are not
changed by adding the GUID.

If this approach interests you, I can expand a little on the topic.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Feb 17 '06 #6
This is much more helpful, thank you. Unfortunately, this is for
Access. I worked with SQL Server before but I don't know what a GUID
is (although I am interested for future reference). I had thought of
figuring out a way to verify the user each time but this project is
falling behind and it's complexity growing and the query string
encryption was supposed to lighten this load, ugh.

Is there a way to do this with access in a similar way?

Thanks again.

Feb 18 '06 #7
I should have asked earlier...what other way would you suggest other
than using querystring encryption? Form collecton doesn't seem
practical and I wouldn't know how to implement it in this case either.

Thanks again.

Feb 20 '06 #8
the other john wrote:
I should have asked earlier...what other way would you suggest
other than using querystring encryption? Form collecton doesn't
seem practical and I wouldn't know how to implement it in this
case either.


Please note that "querystrin g encryption" is a false term. If the
"encryption " has to be done on the client, then it's not encryption (unless
you want to write your own key exchange implementation) . You are looking for
obfuscation.

I suggested GUIDs because they are easy to implement and tough to guess.
They may still be an option for you:
http://www.aspfaq.com/show.asp?id=2108

Presumably you could then store them as text.

Another option is to generate "random" keys when you create the records.
These can be numeric or alphabetic, but I suggest you avoid integers. I say
"random" with quotes because (1) truly random generators are only
theoretically possible, and more imprtantly, (2) you will have to test for
uniqueness, which automatically voids the randomness of the generator.

I'm sure there are other techniques, but you seem to be looking for a quick
fix.

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Feb 20 '06 #9
Another approach would be to let the user change the value but implement
access checking when reading the record. If he is not allowed he shouldn't
be able to access this record.

With the encryption approach, one could send a shortcut to someone else and
this other person could be able to gain access to the protected record. IMO
it's best to implement first security at the recored read level....

--
Patrice

"the other john" <ki*****@yahoo. com> a écrit dans le message de
news:11******** **************@ g44g2000cwa.goo glegroups.com.. .
This application is a content manager for web development. It manages
clients, developers, and administrators. Each have their own level of
access. The problem comes in when querying the database. A developer
or client could change the ID's in the querystrings to view projects
not assigned to them. I've always used querystrings to pass the unique
values to retrieve the appropriate data. I want to encrypt the query
strings to avoid this problem.

Feb 20 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
2228
Determine closedate depending on a metatable and this closedate will be used in a query
by: Hennie de Nooijer | last post by:
Hi, This is a diffcult issue to explain. I hope to make my problem clear to you. SITUATION I'm building A SLA Query for a customer. This customer has an awkward way to determine the SLA results ;-) Depending on a category which is stored in a headertable (Requests) a field and logic is determined how to get a proper Close_Date. This Close_date can be the closedate of the request. It is also possible that the close_date is a certain...
Microsoft SQL Server
7
2668
What is the easiest way to query a remote XML file on someone elses Linux box using secure communication?
by: Dan V. | last post by:
Situation: I have to connect with my Windows 2000 server using VS.NET 2003 and C# and connect to a remote Linux server at another company's office and query their XML file. Their file may be updated every hour or so. How can I do this easily? I would like to use secure communication even encryption if possible. I would query and insert locally only the newest records found in that XML file to an xml or MS access db.
.NET Framework
2
2741
convert string to CipherMessage
by: Nathan | last post by:
Is there a way to convert a string to a CipherMessage? I am calling a function that decrypts a CipherMessage and returns the value. The only problem is when I want to use an encrypted value stored in a querystring, I can't figure out how to convert it back to a CipherMessage.
.NET Framework
14
7682
Encrypt String
by: msnews.microsoft.com | last post by:
How can I encrypt and decrypt string?
C# / C Sharp
12
3457
Using encrypted dB connection string
by: Charlie | last post by:
Hi: My host will not allow me use a trusted connection or make registry setting, so I'm stuck trying find a way to hide connection string which will be stored in web.config file. If I encrypt string externally, can it be used in it's encrypted form to connect to SQL Server? If I decrypt back to string for use in connection string during runtime, I have to supply a key. If I do that, hacker could use key to break encryption. How do I...
ASP.NET
6
7853
Simple Encryption of text string
by: larry mckay | last post by:
Hi, Does anyone have any simple text string encryption routines that are easy to implement? I'm trying to prevent users and system administrators from figuring out how I implement things. thanks *** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it!
Visual Basic .NET
14
3488
Connection String in .config file - Security Concerns
by: WebMatrix | last post by:
Hello, I have developed a web application that connects to 2 different database servers. The connection strings with db username + password are stored in web.config file. After a code review, one developer suggested that it's a security flaw; therefore connection strings should be kept somewhere else or encrypted. My argument is that web.config file is protected by IIS and Windows security which is the case. And another argument is that...
C# / C Sharp
22
7658
String Encryption Help
by: j1mb0jay | last post by:
I have had to create a simple string encryption program for coursework, I have completed the task and now have to do a write up on how it could be improved at a later date. If you could look through the code and point me in the correct direction one would be very grateful. Example Input : j1mb0jay Example Output 1 : rZHKZbYZWn/4UgL9mAjN2DUz7X/UpcpRxXM9SO1QkvkOe5nOPEKnZldpsB7uHUNZ Example Output 2 :...
C# / C Sharp
1
2969
Query string encryption in T-SQL
by: mielnik.bartek | last post by:
Hi, could you tell me please what are the ways of the query string encryption in T-SQL ? I would like to have a storage procedure that encrypts e.g. http://123.23.43.1/pagegen.asp?param1=23&param2=124 into http://pagegen.asp?code=fdgfehiqrzvhe and convert it back to the orginal url. Thanks in advance Omi
Microsoft SQL Server
0
7955
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
7883
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8261
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8251
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
6674
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
5839
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
1
2391
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
1
1490
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
1223
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us