469,356 Members | 1,974 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,356 developers. It's quick & easy.

Hide or encode URL

I want to send emails that would include a link to an asp page. The link
would look like

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.

thanks
Jul 19 '05 #1
7 8148
Server.URLEncode(The_URL_to_encode)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)
Terri <Te***@spamaway.com> wrote in message
news:c2**********@reader2.nmix.net...
I want to send emails that would include a link to an asp page. The link
would look like

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.

thanks

Jul 19 '05 #2
> http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.


By different number, I assume you mean the ID in the querystring. And, I'm
assuming once someone follows that link, they're redirected to another page?
If so, the only way I can think of to validate if it's the correct url is to
include some other identifier in the url also, and then match them up on the
destination page.

For example,

The url: http://10.0.0.10/ContactDetails.asp?ID=18484&PID=2

On ContactDetails.asp:

id = request.querystring("id")
page_id = request.querystring("pid")

response.redirect("SomeOtherPage.asp?pid=" & page_id)

On SomeOtherPage.asp:

page_id = 1

if cint(request.querysting("pid") <> page_id then
response.redirect ("default.asp")
end if
Or, something like that.

Randy

Jul 19 '05 #3
"Terri" <Te***@spamaway.com> wrote in message
news:c2**********@reader2.nmix.net...
I want to send emails that would include a link to an asp page. The link
would look like

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number in the
URL that would load a different page. I'd prefer not to have to use a
password. Code samples would be most helpful.


Ideally, you should be encrypting the IDs that you pass around so the user
couldn't do something like that. Users should never see an unencrypted ID
value because it's a security risk. In other words, your ASP application
would get the ID from the database and encrypt it, then pass around the
encrypted value, and then decrypt it when it needed to make a call back to
the server with that value.

Regards,
Peter Foti
Jul 19 '05 #4
"Terri" wrote:

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number
in the URL that would load a different page.


The other responses all seem to think you were asking how to hide the true
destination of the document, but I read it to mean you didn't want users to
be able to guess article IDs. Is that correct?

If so, then you probably should use IDs that are not sequential, and
furthermore seem random. One simple approach would be to use GUIDs. Your
URLs would end up looking something like this:

http://server/ContactDetails.asp?ID=...6-FECBB568B277

....which would map to article 18484 in the DB.

See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

If GUIDs seem too large (they are 16 bytes), you can always generate random
numbers and check for uniqueness when creating your article IDs.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
Jul 19 '05 #5
Thanks for all your responses.

The ID refers to a contact so I don't want one contact to be able to type
in someone else's contact ID and modify someone else's data.

The encryption suggestion seems to be the most secure. I assume if I used
the URLEncode method that the encoded string could be reverse-engineered.
The guid method may also be secure enough for my needs.

I needed general ideas about how to accomplish this in order to prepare a
price estimate, so I think I have enough info for that. If I get the project
I'll have to examine one of these methods in more detail.

Thanks again.

"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:On**************@TK2MSFTNGP11.phx.gbl...
"Terri" wrote:

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number
in the URL that would load a different page.
The other responses all seem to think you were asking how to hide the true
destination of the document, but I read it to mean you didn't want users

to be able to guess article IDs. Is that correct?

If so, then you probably should use IDs that are not sequential, and
furthermore seem random. One simple approach would be to use GUIDs. Your
URLs would end up looking something like this:

http://server/ContactDetails.asp?ID=...6-FECBB568B277
...which would map to article 18484 in the DB.

See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

If GUIDs seem too large (they are 16 bytes), you can always generate random numbers and check for uniqueness when creating your article IDs.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use of this email address implies consent to these terms. Please do not contact me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.

Jul 19 '05 #6
Encode and Encrypt are different...
You want Encrypt

--
Curt Christianson
Owner/Lead Developer, DF-Software
www.Darkfalz.com
"Terri" <Te***@spamaway.com> wrote in message
news:c2**********@reader2.nmix.net...
Thanks for all your responses.

The ID refers to a contact so I don't want one contact to be able to type
in someone else's contact ID and modify someone else's data.

The encryption suggestion seems to be the most secure. I assume if I used
the URLEncode method that the encoded string could be reverse-engineered.
The guid method may also be secure enough for my needs.

I needed general ideas about how to accomplish this in order to prepare a
price estimate, so I think I have enough info for that. If I get the project I'll have to examine one of these methods in more detail.

Thanks again.

"Dave Anderson" <GT**********@spammotel.com> wrote in message
news:On**************@TK2MSFTNGP11.phx.gbl...
"Terri" wrote:

http://10.0.0.10/ContactDetails.asp?ID=18484

How can I prevent someone from simply typing in a different number
in the URL that would load a different page.


The other responses all seem to think you were asking how to hide the true destination of the document, but I read it to mean you didn't want users

to
be able to guess article IDs. Is that correct?

If so, then you probably should use IDs that are not sequential, and
furthermore seem random. One simple approach would be to use GUIDs. Your
URLs would end up looking something like this:

http://server/ContactDetails.asp?ID=...6-FECBB568B277

...which would map to article 18484 in the DB.

See this for pros and cons:
http://www.devx.com/dbzone/Article/10167

If GUIDs seem too large (they are 16 bytes), you can always generate

random
numbers and check for uniqueness when creating your article IDs.
--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message.

Use
of this email address implies consent to these terms. Please do not

contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.


Jul 19 '05 #7
"Curt_C [MVP]" <software_AT_darkfalz.com> wrote in message
news:Og**************@tk2msftngp13.phx.gbl...
Encode and Encrypt are different...
You want Encrypt


Yeah, what he said. :)
Try reading this article. I think he includes some references to some ways
to encrypt the data (but you could also use something like ASPEncrypt if
your host provides it).
http://authors.aspalliance.com/nothi...l=nothingmn_10

Best,
Peter Foti
Jul 19 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Nick Ashton | last post: by
3 posts views Thread by maflu | last post: by
1 post views Thread by ok | last post: by
8 posts views Thread by Alex Nitulescu | last post: by
2 posts views Thread by bhavik | last post: by
4 posts views Thread by Laurahn | last post: by
1 post views Thread by CARIGAR | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.