Hide URL data and change display

Question

Hide URL data and change display

Asked 8 years, 7 months ago

Viewed 2,954 times

2

I am developing a system, where I pass a value in a variable and load it in my url, through the form using the POST method, so I have the URL:

$url = "../usuario/detalhamento.php?foo=$id";
echo "<td><center><a href='$url' class='btn btn-primary btn-block
value='$id'>$id</a></center></td>";`

Then it works beautiful, only my url on the page I called appears like this:

http://127.0.0.1:8082/meusite/user/detailing.php? foo=1

The problem with leaving so is that, anyone can arrive and enter an ID at the end and access other information. What I wanted was to know how to hide everything you have after "?" or replace everything with "#" for example, I just didn’t want to leave the show.

1

URL friendly. I’m running out of time to give you an example, but I’m sure someone will post an answer below.

– Diego Souza

2015/11/04 at 12:24
1

Hiding this you know you’re going to have SEO problems, isn’t that a concern for you? If not, go through GET instead of POST.

– caiocafardo

2015/11/04 at 13:44
1

If the problem is just privacidade information, then you could generate a hash MD5 and passes there as a parameter instead of passing only the id naked and raw.

– Ilario Junior

2015/11/04 at 14:10
1

As they said, hiding will have SEO problems, IE, will not be indexed by the search engines, and does not solve the problem since the feature will be available in it. It is necessary to analyze who can see the data and under what conditions and with that in mind to implement these validations on the server.

– Filipe Moraes

2015/11/04 at 14:39
2

Your application should predict wrong Ids, because by hiding them or not (whatever), every HTTP request can be forged in its entirety, regardless of whether it’s GET, POST or something else. Your concern is valid, but the path chosen to resolve it is illusory. If you really need security, exchange the ID for a key that is only valid for current session, and/or in the main application check if the logged in user has the right to access the provided ID.

– Bacco

2015/11/04 at 14:40

2 answers

Browser other questions tagged php javascript

You are not signed in. Login or sign up in order to post.

by juniorb2ss • **2,503** points · Answer 1 · 2015-11-04T17:14:48+00:00

The problem of leaving so is that, anyone can arrive and enter an ID at the end and access other information.

Let’s start over here.

First of all this is a safety factor, not a visibility factor. That is, to assume that the user X have access to the records of ID’s: 3, 2 and 5. Already the user Y have access to ID’s: 8 and 1.

If the user X type in the URL the ID 8 it is your security layer’s role to check if he has permissions to view the information from that ID.

Let’s simulate:

In a ballad, where there is VIP area and TRACK how are identified people who have access to VIP area? In case by bracelet. If there was no such "security" all the track could enter the VIP, correct?

This ideology must be imposed on your system. If the user enters a random ID in the URL your application should process its access in that record, do not try to hide the ID from it.

What I wanted was to know how to hide everything you have after the "?"

No need for that. Visibility doesn’t bring problems if you have a layer of security behind it. You’re flipping the balls.

Considerations

The important thing is not the visibility of the ID in the URL, but the ACL of its application.

SEO

Look for some articles also about SEO, that it is not recommended to work with numbers in the URL but SLUGS.

by Raphael Schubert • **225** points · Answer 2 · 2016-04-28T14:16:53+00:00

I developed a system for a company that would work with financial calculations, to prevent the user from trying to change a record without authorization I created a logic more or less like this:

$securityHash = sha1($idUsuario . $nivelAcesso . $url);

Whenever he accessed a link, the link went as follows:

detalhes.php/1/f6ds8dsSAFsa768sa6f786sfa

It would be the same thing as that:

detalhes.php?id=1&sh=f6ds8dsSAFsa768sa6f786sfa

When rendering the response, I generated the hash on the server, and compared it to the URL. Therefore, I knew that users who were there, could only receive the X hash due to the fact that it is accessible only as administrator, or any other group.

And in case the hash was refused, I created a logic to immediately block the user’s access and release it from the system.