Query string encryption

Discussion in 'ASP General' started by the other john, Feb 17, 2006.

  1. I've been looking for a solution for this and have seen some approaches
    but none that seem appropriate for what I'm trying to do. This is what
    I need...

    I'm trying to encrypt query strings.
    For Example...
    I want this...
    http://whatever.com/?clientID=5
    to be something like this...
    http://whatever.com/?[encrypted string]

    I've seen the 4guysrfromrolla's version. Its fine "but" I don't know
    if it would be practical in this case. I would need to encrypt many
    urls on a single page and every link on a displayed page would be
    pulled from a database. the "rolla" version I came across requires
    that a text file be created and key written for each encoded string
    everytime the page is called. This doesn't seem that practical to me
    because I would be writing files and keys dozens of times everytime the
    page is called.

    I've also seen aspEncrypt but they want 250 bucks and I was hoping to
    avoid this. I also see that .Net has a method for this but I'm only
    working with classic at this point.

    Is there another method out there?

    Thanks!
     
    the other john, Feb 17, 2006
    #1
    1. Advertising

  2. the other john wrote:
    > I've been looking for a solution for this and have seen
    > some approaches but none that seem appropriate for what
    > I'm trying to do.
    > This is what I need...
    >
    > I'm trying to encrypt query strings.


    Why bother?



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Feb 17, 2006
    #2
    1. Advertising

  3. Ok, why reply if you don't have anything to add? Not trying to be rude
    but this doesn't help much.
     
    the other john, Feb 17, 2006
    #3
  4. the other john wrote:
    > Ok, why reply if you don't have anything to add? Not
    > trying to be rude but this doesn't help much.


    I have plenty to add. But there are few contexts in which it makes sense to
    "encrypt" the querystring. Thus the question.

    If you explain what your objective is, perhaps someone can suggest an
    alternative approach to achieving it.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Feb 17, 2006
    #4
  5. This application is a content manager for web development. It manages
    clients, developers, and administrators. Each have their own level of
    access. The problem comes in when querying the database. A developer
    or client could change the ID's in the querystrings to view projects
    not assigned to them. I've always used querystrings to pass the unique
    values to retrieve the appropriate data. I want to encrypt the query
    strings to avoid this problem.
     
    the other john, Feb 17, 2006
    #5
  6. the other john wrote:
    > This application is a content manager for web development. It manages
    > clients, developers, and administrators. Each have their own level of
    > access. The problem comes in when querying the database. A developer
    > or client could change the ID's in the querystrings to view projects
    > not assigned to them. I've always used querystrings to pass the
    > unique values to retrieve the appropriate data. I want to encrypt
    > the query strings to avoid this problem.


    OK. I think I understand. You want to obfuscate the record keys in lieu of
    authentication and privilege checking. This is possible, but it is important
    that you realize that obfuscation is not security.

    If you are identifying each user, you might want to actually design your
    application so it verifies user privileges with every round-trip. I do this
    with MOST applications.

    But I realize this is not always possible. Some of our apps allow anonymous
    submissions (and tracking by the originator). For these, we need what you
    are seeking -- obfuscated keys. And for many of these, we use GUIDs.

    Now, you don't mention your database variety, but if it's SQL Server, you
    might want to give consideration to GUIDs (SQL Server type:
    UNIQUEIDENTIFIER). I find it straightforward to add them to existing tables,
    and they are fairly tough to guess outright.

    Say, for example, your project table has an identity column [ID], upon which
    you JOIN other tables:

    SELECT P.*, H.*
    FROM Project P
    JOIN History H ON (H.ProjectID = P.ID)
    WHERE P.ID = 12345

    Adding a GUID would barely change this query:

    SELECT P.*, H.*
    FROM Project P
    JOIN History H ON (H.ProjectID = P.ID)
    WHERE P.GUID = 'A4C187AD-92AC-478F-9AED-9B74AEB5CB60'

    Notice that the GUID need only be part of the root (project) node. ID
    becomes a "private property" of the project -- no user ever needs to know
    it, but as an INT, it is far better suited for being part of a primary key
    than a GUID is. More importantly, your existing relationships are not
    changed by adding the GUID.

    If this approach interests you, I can expand a little on the topic.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Feb 17, 2006
    #6
  7. This is much more helpful, thank you. Unfortunately, this is for
    Access. I worked with SQL Server before but I don't know what a GUID
    is (although I am interested for future reference). I had thought of
    figuring out a way to verify the user each time but this project is
    falling behind and it's complexity growing and the query string
    encryption was supposed to lighten this load, ugh.

    Is there a way to do this with access in a similar way?

    Thanks again.
     
    the other john, Feb 18, 2006
    #7
  8. I should have asked earlier...what other way would you suggest other
    than using querystring encryption? Form collecton doesn't seem
    practical and I wouldn't know how to implement it in this case either.

    Thanks again.
     
    the other john, Feb 20, 2006
    #8
  9. the other john wrote:
    > I should have asked earlier...what other way would you suggest
    > other than using querystring encryption? Form collecton doesn't
    > seem practical and I wouldn't know how to implement it in this
    > case either.


    Please note that "querystring encryption" is a false term. If the
    "encryption" has to be done on the client, then it's not encryption (unless
    you want to write your own key exchange implementation). You are looking for
    obfuscation.

    I suggested GUIDs because they are easy to implement and tough to guess.
    They may still be an option for you:
    http://www.aspfaq.com/show.asp?id=2108

    Presumably you could then store them as text.

    Another option is to generate "random" keys when you create the records.
    These can be numeric or alphabetic, but I suggest you avoid integers. I say
    "random" with quotes because (1) truly random generators are only
    theoretically possible, and more imprtantly, (2) you will have to test for
    uniqueness, which automatically voids the randomness of the generator.

    I'm sure there are other techniques, but you seem to be looking for a quick
    fix.



    --
    Dave Anderson

    Unsolicited commercial email will be read at a cost of $500 per message. Use
    of this email address implies consent to these terms. Please do not contact
    me directly or ask me to contact you directly for assistance. If your
    question is worth asking, it's worth posting.
     
    Dave Anderson, Feb 20, 2006
    #9
  10. the other john

    Patrice Guest

    Another approach would be to let the user change the value but implement
    access checking when reading the record. If he is not allowed he shouldn't
    be able to access this record.

    With the encryption approach, one could send a shortcut to someone else and
    this other person could be able to gain access to the protected record. IMO
    it's best to implement first security at the recored read level....

    --
    Patrice

    "the other john" <> a écrit dans le message de
    news:...
    > This application is a content manager for web development. It manages
    > clients, developers, and administrators. Each have their own level of
    > access. The problem comes in when querying the database. A developer
    > or client could change the ID's in the querystrings to view projects
    > not assigned to them. I've always used querystrings to pass the unique
    > values to retrieve the appropriate data. I want to encrypt the query
    > strings to avoid this problem.
    >
     
    Patrice, Feb 20, 2006
    #10
  11. at the moment, yes, I am looking for a quick fix since the cost of the
    project wasn't intended to go as far as it already has. However, I am
    interested in better solutions for future reference.

    I'm trying to envision a solution that checks for what the user has
    access to at each page load. Would this in itself be a recordset that
    is referred to at every page view? Is that what you meant by record
    read level? It seems simple enough in concept but each time I think
    about it it gets more complicated.

    Thanks again all.

    John
     
    the other john, Feb 20, 2006
    #11
  12. the other john

    Patrice Guest

    I meant that when you read a recordset from the DB :
    - for now, it looks like you are reading the row just based on the key
    provided in the querystring. As a result if someone changes the key he can
    get at any record he wants
    - if the query select the row based on the key *and* on application
    permission, he won't get the record if he is not allowed to see it

    --
    Patrice

    "the other john" <> a écrit dans le message de
    news:...
    > at the moment, yes, I am looking for a quick fix since the cost of the
    > project wasn't intended to go as far as it already has. However, I am
    > interested in better solutions for future reference.
    >
    > I'm trying to envision a solution that checks for what the user has
    > access to at each page load. Would this in itself be a recordset that
    > is referred to at every page view? Is that what you meant by record
    > read level? It seems simple enough in concept but each time I think
    > about it it gets more complicated.
    >
    > Thanks again all.
    >
    > John
    >
     
    Patrice, Feb 21, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Srinivasa Reddy K Ganji

    database connection string encryption and decryption

    Srinivasa Reddy K Ganji, Jul 18, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    701
    Gary Varga
    Jul 18, 2003
  2. Replies:
    3
    Views:
    765
  3. Ritesh

    Encryption of the query string in the URL

    Ritesh, Feb 3, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    107
    Ritesh Desai
    Feb 5, 2004
  4. roadrunner
    Replies:
    1
    Views:
    242
    Gunnar Hjalmarsson
    Feb 8, 2006
  5. nick
    Replies:
    1
    Views:
    463
    David Mark
    Feb 13, 2011
Loading...

Share This Page