rewriting URLs

*** Gordan wrote/escribió (Thu, 16 Jun 2005 13:43:55 +0200):

here's my problem. On my pages I have URL souch as these
"page.php?id=2&subpage=3&param=65". For security reasons I would like to add
another parameter. It would be created like this
md5($param1.$param2.$some_constant). I would then add that MD5 string to my URL
and stop users from altering URL manually.

Then you should be using a more secure mechanism, such as sessions. URL
parameters are useful when user cannot break anything or even is encouraged
to alter it.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

Gordan wrote:

here's my problem. On my pages I have URL souch as these
"page.php?id=2&subpage=3&param=65". For security reasons I would like to add
another parameter. It would be created like this
md5($param1.$param2.$some_constant). I would then add that MD5 string to my URL
and stop users from altering URL manually.
I would like PHP to rewrite all my URLs in a page adding this string to each
URL. I thought that I can pass a custom function to the session URL rewriting
but I cant it just adds the session ID. I know about
output_add_rewrite_var('var', 'value'); but the $value is fixed and in my case
it should depend on the specific URL being rewritten.
I know I could cache all my output and then write a regular expression to
rewrite URLs but that just seems slow and wrong :-)

You seems to be right. AFAIK, the better option is
<http://in.php.net/ob_start> and <http://in.php.net/preg_replace>--yes,
it's slow.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com

hi gordan.
i believe what you are trying to do is to "encrypt" your URL's so users
can`t mess with parameters.
once i did a script which did exactly that. i can't copy&paste here but
i'll give you some VERY basic pointers (it's a simple script but very
hard to explain here!).
i created 2 pages: a.php and z.php. a.php created the "encrypted" links
and z.php read them.
a.php converted automatically the URL's to the new "encrypted" format
using Output Buffering, a simple preg_replace() function and another
function to encrypt the parameters.
the preg function returned the parameters of the URL's (i.e.
?p1=v1&p2=v2) and the "encrypting" function transformed those
parameters using base64 encode.
z.php receieved the new parameter and "uncrypted" it using base64
decode and then parsed the result to make a new $_GET array.

A tada saintexupery rece:

i believe what you are trying to do is to "encrypt" your URL's so
users can`t mess with parameters.

exactly that! :-)

<cut>
thanks for the idea. I was just wondering if I have to use output buffering. I
know I can change every single link in my page into
encode_this_link('xxx.php?id=4'); but that would take timeeeeeeee and I want
something automatic.
Ill write something using output buffering and regular expressions

thanks!
gordan

I don't see anything particularly insecure with the design. He's
basically attaching a digital signature of the GET parameters. If the
objective is simply to stop people from going to arbituary pages, it
would work.

*** Chung Leong <ch***********@hotmail.com> wrote/escribió (17 Jun 2005
08:39:54 -0700):

If the objective is simply to stop people from going to arbituary pages,
it would work.

I enclose "Going to arbitrary pages" in the "cannot break anything"
category.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--