Encrypted URLs

22 posts by 2 authors in: Forums > CMS Builder
Last Post: August 20, 2012   (RSS)

By gkornbluth - August 3, 2012 - edited: August 4, 2012

Hi All,

Ever since the advent of the spambot email protector plugin I’ve been concerned with having potentially sensitive urls visible in the source code of some of my client’s viewers.

I've got situations where I'm passing a return URL in a PayPal button for example and it would be nice if view source did not reveal the return url so easily.

I’ve tried looking at some of the php encryption functions but the discussions are way over my head.

So, has anyone successfully implemented the idea of encrypting/decrypting URLs in viewer source code.

I could also use some help with the interim solution in my followup post.

Thanks,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Encrypted URLs

By Jason - August 6, 2012

Hi,

It might be easier to just encode the values directly through PHP without relying on javascript to do this after the fact.

Here is a function to encode:

function charEncodeString($string) {
$encodedString = "";

foreach (str_split($string, 1) as $char) {
$encodedString .= htmlspecialchars("&")."#".ord($char).";";
}

return $encodedString;
}


Hope this helps
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Encrypted URLs

Jason,

Thanks for looking at this.

Wouldn't this render the exposed $encodedString values in the source code, or am I missing something basic?

Jerry
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Encrypted URLs

By Jason - August 7, 2012

Hi Jerry,

It would, but in the first approach, people could see the hard coded javascript values in the source code as well.

Another approach would be to have no value at all on the page. If each button submitted a unique value, you could have it submit to a middle distribution page. There you could redirect them to a url based on the submitted value. Since this would all happen on the server side, nothing would be sent to the browser to be exposed in the source.

Hope this helps
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Encrypted URLs

Thanks Jason,

You're right, visitors could see the hard coded JavaScript values but at least casual prying eyes would be fooled.

I was hoping to come up with something along the lines of the spambot email plugin, but the interim page approach is an interesting, and much more secure thought.

I'll play with it and see what I can come up with.

I'm sure I'll have more questions as I get further.

If you, or anyone has come up with an encryption plugin, I'd like to hear more about it.

Again, thanks for adding your brain power to this.

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [Jason] Encrypted URLs

Hi Jason,

I knew I’d be back.

I’m trying to cobble together an implementation of your “intermediate page” suggestion but I'm not sure how to proceed. (I guess I don't understand the "no value" approach.)

So far, on my payment page I’m using links to the intermediate pages and then using the Javascript below on the intermediate pages to submit my forms on page load.

Maybe I’m not thinking clearly, but how can I protect the intermediate pages from prying eyes and still allow the submission of the form to take place, or how would I approach the other, and probably better "no value" suggestion?

Thanks,

Jerry Kornbluth

<form id="form1">
...
</form>

<script type="text/javascript">
function myfunc () {
var frm = document.getElementById("form1");
frm.submit();
}
window.onload = myfunc;
</script>
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Encrypted URLs

By Jason - August 9, 2012

Hi Jerry,

The idea of the intermediate page is that the user never even knows they were sent there. The purpose of the page is simply to redirect, so no information is ever sent to the browser.

For example,

say you have 3 different links, each one needing to be sent to a different URL. You pass a number, or other value to the intermediate page.

EXAMPLE:

<a href = "intermediate.php?url=1">Click Here!</a>

on the intermediate.php page, you use the values passed in to figure out which url to redirect to:

<?php
$value = @$_REQUEST['url'];

$url = "";

if ($value == 1) {
$url = "http://www.myfirstoption.com";
}
elseif ($value == 2) {
$url = "http://www.mysecondoption.com";
}
elseif ($value == 3) {
$url = "http://www.mythirdoption.com";
}

if ($url) {
redirectBrowserToURL($url);
}
exit;

?>


This is a pretty basic implementation, and there are a lot of ways to vary this, but this should give you an idea of how to get started.

Hope this helps
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Encrypted URLs

Hi Jason,

I see where you're going now and will see what I can come up with.

Thanks,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [Jason] Encrypted URLs

HI Jason,

I got some time last night and this morning and set up some test intermediate pages and they work perfectly for URLs.

When I try to replace the different URL values with forms with some different variable in them, I’m stuck.

I’m pretty sure that it has something to do with the built in “redirectBrowserToURL” function, but I don’t know how to proceed.

Hope you’re willing to help.

Jerry Kornbluth

Here’s the code that I’m using so far:
<a href = "intermediate2.php?url=1">Click Here for link 1!</a><br />
<a href = "intermediate2.php?url=2">Click Here for link 2!</a><br />

etc...


And...
<!– I’d like to use something like this to submit the appropriate version of the form on page load (would I have to use a separate function for each value and change each of the form IDs?) –>
<script type="text/javascript">
function myfunc () {
var frm = document.getElementById("foo");
frm.submit();
}
window.onload = myfunc;
</script> –>

</head>
<body>

<!– These are some defined test variables (values 3-5 would have forms with other variables inserted) –>

<?php $ppea = $common_informationRecord['paypal_payment_e_mail_address']; ?>
<?php $rmda = $become_a_memberRecord['regular_member_dues_amount']; ?>
<?php $ret1 = "http://www.jkwebdesigns.com"; ?>

<?php $ppea2 = $common_informationRecord['paypal_payment_e_mail_address_2']; ?>
<?php $fmda = $become_a_memberRecord['founding_member_dues_amount']; ?>
<?php $ret2 = "http://www.interactivetools.com"; ?>

<?php
$value = @$_REQUEST['url'];

$url = "";

if ($value == 1) {
$url = "
&lt;form id='foo'
action= 'https://www.paypal.com/cgi-bin/webscr'&gt;
&lt;input type='hidden' name='cmd' value='_xclick'&gt;
&lt;input type='hidden' name='lc' value='US'&gt;
&lt;input type='hidden' name='cbt' value='founding member renewal'&gt;
&lt;input type='hidden' name='currency_code' value='USD'&gt;
&lt;input type='hidden' name='rm' value='1'&gt;
&lt;input type='hidden' name='cpp_header_image' value='http://www.artistsofpalmbeachcounty.org/images/apbcpp.jpg'&gt;
&lt;input type='hidden' name='business' value='&lt;?php echo $ppea1 ?&gt;'&gt;
&lt;input type='hidden' name='item_name' value='$&lt;?php echo $rmda ?&gt; - REGULAR MEMBER RENEWAL'&gt;
&lt;input type='hidden' name='amount' value='&lt;?php echo $rmda ?&gt;'&gt;
&lt;input type='hidden' name='no_shipping' value='1'&gt;
&lt;input type='hidden' name='no_note' value='1'&gt;
&lt;input type='hidden' name='return' value='&lt;?php echo $ret1 ?&gt;'&gt;
&lt;/form&gt;
";
}
elseif ($value == 2) {
$url = "
&lt;form id='foo'
action= 'https://www.paypal.com/cgi-bin/webscr'&gt;
&lt;input type='hidden' name='cmd' value='_xclick'&gt;
&lt;input type='hidden' name='lc' value='US'&gt;
&lt;input type='hidden' name='cbt' value='founding member renewal'&gt;
&lt;input type='hidden' name='currency_code' value='USD'&gt;
&lt;input type='hidden' name='rm' value='1'&gt;
&lt;input type='hidden' name='cpp_header_image' value='http://www.artistsofpalmbeachcounty.org/images/apbcpp.jpg'&gt;
&lt;input type='hidden' name='business' value='&lt;?php echo $ppea2 ?&gt;'&gt;
&lt;input type='hidden' name='item_name' value='$&lt;?php echo $fmda ?&gt; - FOUNDING MEMBER RENEWAL'&gt;
&lt;input type='hidden' name='amount' value='&lt;?php echo $fmda ?&gt;'&gt;
&lt;input type='hidden' name='no_shipping' value='1'&gt;
&lt;input type='hidden' name='no_note' value='1'&gt;
&lt;input type='hidden' name='return' value='&lt;?php echo $ret2 ?&gt;'&gt;
&lt;/form&gt;
";
}
elseif ($value == 3) {
$url = "http://www.site3.com";
}
elseif ($value == 4) {
$url = "http://www.site4.com";
}
elseif ($value == 5) {
$url = "http://www.site5.com";
}
if ($url) {
redirectBrowserToURL($url);
}
exit;

?>

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php