Hide or encode URL

Server.URLEncode(The_URL_to_encode)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Terri <Te***@spamaway.com> wrote in message
news:c2**********@reader2.nmix.net...

I want to send emails that would include a link to an asp page. The link
would look like

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.

thanks

> http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.

By different number, I assume you mean the ID in the querystring. And, I'm
assuming once someone follows that link, they're redirected to another page?
If so, the only way I can think of to validate if it's the correct url is to
include some other identifier in the url also, and then match them up on the
destination page.

For example,

The url: http://10.0.0.10/ContactDetails.asp?ID=18484&PID=2

On ContactDetails.asp:

id = request.querystring("id")
page_id = request.querystring("pid")

response.redirect("SomeOtherPage.asp?pid=" & page_id)

On SomeOtherPage.asp:

page_id = 1

if cint(request.querysting("pid") <> page_id then
response.redirect ("default.asp")
end if
Or, something like that.

Randy

"Terri" <Te***@spamaway.com> wrote in message
news:c2**********@reader2.nmix.net...

I want to send emails that would include a link to an asp page. The link
would look like

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.

Ideally, you should be encrypting the IDs that you pass around so the user
couldn't do something like that. Users should never see an unencrypted ID
value because it's a security risk. In other words, your ASP application
would get the ID from the database and encrypt it, then pass around the
encrypted value, and then decrypt it when it needed to make a call back to
the server with that value.

Regards,
Peter Foti

"Terri" wrote:

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number
in the URL that would load a different page.

The other responses all seem to think you were asking how to hide the true
destination of the document, but I read it to mean you didn't want users to
be able to guess article IDs. Is that correct?

If so, then you probably should use IDs that are not sequential, and
furthermore seem random. One simple approach would be to use GUIDs. Your
URLs would end up looking something like this:

http://server/ContactDetails.asp?ID=...6-FECBB568B277

....which would map to article 18484 in the DB.

See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

If GUIDs seem too large (they are 16 bytes), you can always generate random
numbers and check for uniqueness when creating your article IDs.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Thanks for all your responses.

The ID refers to a contact so I don't want one contact to be able to type
in someone else's contact ID and modify someone else's data.

The encryption suggestion seems to be the most secure. I assume if I used
the URLEncode method that the encoded string could be reverse-engineered.
The guid method may also be secure enough for my needs.

I needed general ideas about how to accomplish this in order to prepare a
price estimate, so I think I have enough info for that. If I get the project
I'll have to examine one of these methods in more detail.

Thanks again.

"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:On**************@TK2MSFTNGP11.phx.gbl...

"Terri" wrote:

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number
in the URL that would load a different page.
The other responses all seem to think you were asking how to hide the true
destination of the document, but I read it to mean you didn't want users

to be able to guess article IDs. Is that correct?

If so, then you probably should use IDs that are not sequential, and
furthermore seem random. One simple approach would be to use GUIDs. Your
URLs would end up looking something like this:

http://server/ContactDetails.asp?ID=...6-FECBB568B277
...which would map to article 18484 in the DB.

See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

If GUIDs seem too large (they are 16 bytes), you can always generate random numbers and check for uniqueness when creating your article IDs.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use of this email address implies consent to these terms. Please do not contact me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Encode and Encrypt are different...
You want Encrypt

--
Curt Christianson
Owner/Lead Developer, DF-Software
www.Darkfalz.com
"Terri" <Te***@spamaway.com> wrote in message
news:c2**********@reader2.nmix.net...

Thanks for all your responses.

The ID refers to a contact so I don't want one contact to be able to type
in someone else's contact ID and modify someone else's data.

The encryption suggestion seems to be the most secure. I assume if I used
the URLEncode method that the encoded string could be reverse-engineered.
The guid method may also be secure enough for my needs.

I needed general ideas about how to accomplish this in order to prepare a
price estimate, so I think I have enough info for that. If I get the project I'll have to examine one of these methods in more detail.

Thanks again.

"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:On**************@TK2MSFTNGP11.phx.gbl...

"Terri" wrote:

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number
in the URL that would load a different page.

The other responses all seem to think you were asking how to hide the true destination of the document, but I read it to mean you didn't want users

to

be able to guess article IDs. Is that correct?

If so, then you probably should use IDs that are not sequential, and
furthermore seem random. One simple approach would be to use GUIDs. Your
URLs would end up looking something like this:

http://server/ContactDetails.asp?ID=...6-FECBB568B277

...which would map to article 18484 in the DB.

See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

If GUIDs seem too large (they are 16 bytes), you can always generate

random

numbers and check for uniqueness when creating your article IDs.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.

Use

of this email address implies consent to these terms. Please do not

contact

me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:Og**************@tk2msftngp13.phx.gbl...

Encode and Encrypt are different...
You want Encrypt

Yeah, what he said. :)
Try reading this article. I think he includes some references to some ways
to encrypt the data (but you could also use something like ASPEncrypt if
your host provides it).
http://authors.aspalliance.com/nothi...l=nothingmn_10

Best,
Peter Foti