1

I am passing $_GET[]; variables in a link but want to encrypt the values in the url. I would normally use sessions but since I am not using a form and just a url what are my options. I am sure there is someway to exploit this method so I am trying to make it as secure as possible.

Below is my code:

$cost = "152.00";
<a href="registration.php?class=Spanish&age=4-6&time=3pm&cost=<?echo $cost; ?>">

and registration.php looks like

<?
$class = $_GET[class];
$age = $_GET[age];
$time = $_GET[time];
$cost = $_GET[cost];
?>

If I could use something like md5 to encode the values and then decode them on registration.php that would be good or if there is a way to pass $_session variables using <a> that would be good.

Improve this question
1
  • you cannot reverse a md5 hash. If you could, it would lose its purpose. You can use encryption with keys to pass an encrypted value to a script and have it decrypted. Commented Mar 8, 2011 at 4:06

2 Answers 2

Reset to default
2

Is the page you're linking to on the same site as the site you're making the link from?

If so, why not stick them in $_SESSION? This way, they're stored on the server, where the user can never think of manipulating them.

Another option is not actually encrypting the data, but signing it using an HMAC. If you're using a modern version of PHP, you can use hash_hmac. On the link creation side:

$validate = serialize(array( $class, $age, $time, $cost ));
$hmac = hash_hmac('sha1', $validate, 'secret key goes here');
$link = 'foo.php?...&validate=' . $hmac;

... and on the other side:

$validate = serialize(array( $_GET['class'], $_GET['age'], $_GET['time'], $_GET['cost'] ));
$hmac = hash_hmac('sha1', $validate, 'secret key goes here');
if($hmac != $_GET['validate']) {
    echo "No hacking!";
    exit;
}

You should actually use this technique for option #3, which is: use POST, i.e. a form. This will deter casual users from changing the data.

Option #4 is the best: storing all that sensitive data server-side to begin with, and referring to it by a unique identifier that the user sees. This keeps the data out of the user's hands to begin with, meaning you never need to worry about the user tampering with it.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

The page is on the same site but how do I set the session variable if I am not using a form to submit the data. If the user clicks the link on schedule.php it would need to set the session prior to going to registration.php
I've updated my post, and it happens to include the suggestion that you do indeed use a form and the POST method. You really shouldn't be passing around sensitive data out in the open if you can help it.
I agree. Since there will be pricing involved I will use a form but if the page has multiple links on it what would be the best way to convert it into a form?
1

You could consider creating a "hash key" that is made up of the variables you don't want manipulated:

(edited below to make a bit clearer)

In first page (e.g. class.php), generate the link as this:

$paramStr = "class=Spanish&age=4-6&time=3pm&cost=$cost";
$globalSecretKey = "Some secret key string that you don't reveal to the user";
$publicKey = md5($globalSecretKey . $paramStr);
$link = "registration.php?$paramStr&hash=$publicKey";

Then on registration.php, you make sure the hash matches the submitted variables:

$submittedParamStr = "class=" . $_GET['class'] . "&age=" . $_GET['age'] . "&time=" . $_GET['time'] . "&cost=" . $_GET['cost'];
$globalSecretKey = "Some secret key string that you don't reveal to the user";
$submittedDataKey = md5($globalSecretKey . $submittedParamStr);

// checking if submitted key matches submittedDataKey
if($_GET['hash'] != $submittedDataKey) die("Problem!");
Improve this answer

1 Comment

Not sure if this would work. Since class.php has all the links with different variables associated to each link. What this does it help fill in the reg form with specific data based on which link the user clicks on the previous page.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.