need to disguise urls with (myvariable)/42 extensions

Previous topic

Setup & design

Next topic

Author	Message
nigel dodd	Thursday 31 March 2005 10:47:01 am I have dynamically calculated links with variables eg: http://mysite.com/index.php/mysite/discountpage/(discount)/10 and I don't want the general public to hack into the discountpage page substituting their own discount (such as 99%). I do not think it is possible to use the URL translator to translate such dynamically constructed addresses. I need to pass the variable value, and the extened url seems to be the only way since there is no other means of conveying a variable value across templates. The only solution I have devised is to use an additional variable to convey an md5 hash of the variable values combined with some secret key and to check this in the destination page. It would be very difficult for a hacker to reverse engineer the md5 hashing. Is there a better way of making the transfer of variable values between templates hacker-proof?
Paul Forsyth	Thursday 31 March 2005 11:00:05 am Sensitive values passed like this will always be open to attack. Personally i would store the values in the db and provide some operators to perform the manipulation on them. In this way you are 'passing' them via the db but without exposing the values. Paul
nigel dodd	Thursday 31 March 2005 11:08:26 am So far as I understand there is no easy way to store a value in the db. Don't you need to create an object and store the value as an attribute? And there are the issues to do with creating and publishing the object on the fly (as shown in http://ez.no/community/contribs/hacks/one_click_new_object_and_publish_preview_hack). I hope I am wrong here. Any pointers would be gratefully received.

Author

Message

nigel dodd

Thursday 31 March 2005 10:47:01 am

I have dynamically calculated links with variables eg:

http://mysite.com/index.php/mysite/discountpage/(discount)/10

and I don't want the general public to hack into the discountpage page substituting their own discount (such as 99%).

I do not think it is possible to use the URL translator to translate such dynamically constructed addresses.

I need to pass the variable value, and the extened url seems to be the only way since there is no other means of conveying a variable value across templates.

The only solution I have devised is to use an additional variable to convey an md5 hash of the variable values combined with some secret key and to check this in the destination page. It would be very difficult for a hacker to reverse engineer the md5 hashing.

Is there a better way of making the transfer of variable values between templates hacker-proof?

Paul Forsyth

Thursday 31 March 2005 11:00:05 am

Sensitive values passed like this will always be open to attack.

Personally i would store the values in the db and provide some operators to perform the manipulation on them. In this way you are 'passing' them via the db but without exposing the values.

Paul

nigel dodd

Thursday 31 March 2005 11:08:26 am

So far as I understand there is no easy way to store a value in the db. Don't you need to create an object and store the value as an attribute? And there are the issues to do with creating and publishing the object on the fly (as shown in http://ez.no/community/contribs/hacks/one_click_new_object_and_publish_preview_hack).

I hope I am wrong here. Any pointers would be gratefully received.