Encrypted URLs

22 posts by 2 authors in: Forums > CMS Builder
Last Post: August 20, 2012   (RSS)

By gkornbluth - August 3, 2012 - edited: August 4, 2012

Hi All,

Ever since the advent of the spambot email protector plugin I’ve been concerned with having potentially sensitive urls visible in the source code of some of my client’s viewers.

I've got situations where I'm passing a return URL in a PayPal button for example and it would be nice if view source did not reveal the return url so easily.

I’ve tried looking at some of the php encryption functions but the discussions are way over my head.

So, has anyone successfully implemented the idea of encrypting/decrypting URLs in viewer source code.

I could also use some help with the interim solution in my followup post.

Thanks,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Encrypted URLs

Hi All,

OK I’ve found an interim solution (not perfect) but I’m not a Javascript coder and could use some help.

I’m using the attached to generate cloaked values for 1 payment email value and 2 return URL values (return and return2) that get replaced in the button form by an onclick, before the form is submitted to PayPal.

Here’s my problem.

I have more than onePayPal button on my viewer and each needs to get directed to different return URLs depending on the button that’s clicked.

PayPal only recognizes the 1 field name “return” to initiate a redirect after payment, but I need to insert the uncloaked value of 'return' (temp1) into the first button and 'return2' (temp2) into the other.

Here's the code...

In the head of the viewer (from the attached cloaking generator)
<script type="text/javascript">
<!--
var temp = "&#104;&#116;&#116;&#112;&#58;"
+"&#47;&#47;&#119;&#119;&#119;"
+"&#46;&#109;&#121;&#112;&#108;"
+"&#97;&#99;&#101;&#46;&#99;"
+"&#111;&#109;&#47;&#118;&#105;"
+"&#101;&#119;&#101;&#114;&#49;"
+"&#46;&#112;&#104;&#112;";
var temp2 = "&#104;&#116;&#116;&#112;&#58;"
+"&#47;&#47;&#119;&#119;&#119;"
+"&#46;&#109;&#121;&#112;&#108;"
+"&#97;&#99;&#101;&#46;&#99;"
+"&#111;&#109;&#47;&#116;&#104;"
+"&#101;&#95;&#111;&#116;&#104;"
+"&#101;&#114;&#95;&#118;&#105;"
+"&#101;&#119;&#101;&#114;&#46;"
+"&#112;&#104;&#112;";
var temp3 = "&#112;&#97;&#121;&#109;&#101;"
+"&#110;&#116;&#115;&#64;&#109;"
+"&#121;&#112;&#108;&#97;&#99;"
+"&#101;&#46;&#99;&#111;&#109;"
+"";

function checkForm(theForm) {
if (theForm.return)
theForm.return.value = temp;
if (theForm.return2)
theForm.return2.value = temp2;
if (theForm.business)
theForm.business.value = temp3;
}
//-->
</script>


Form 1)
<form onSubmit="checkForm(this)"
action= "https://www.paypal.com/cgi-bin/webscr">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="">
<input type="hidden" name="item_name" value="Exhibition Fee - <?php echo ucwords(strtolower($event_title)); ?>">
<input type="hidden" name="amount" value="<?php echo $e_blast_events_noticeRecord['entry_fee'] ?>">
<input type="hidden" name="return" value="">
<input type="submit" value="CLICK HERE TO PAY THE $<?php echo $e_blast_events_noticeRecord['entry_fee'] ?> USING PAYPAL">
</form>

Form 2)
<form onSubmit="checkForm(this)"
action= "https://www.paypal.com/cgi-bin/webscr">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="">
<input type="hidden" name="item_name" value="Exhibition Fee - <?php echo ucwords(strtolower($event_title)); ?>">
<input type="hidden" name="amount" value="<?php echo $e_blast_events_noticeRecord['non_member_entry_fee'] ?>">
<input type="hidden" name="return" value=""> <!--THIS VALUE NEEDS TO BE REPLACED WITH THE RETURN2 VALUE BUT THE FORM NEEDS TO BE SUBMITTED WITH THE NAME “return” –>
<input type="submit" value="CLICK HERE TO PAY THE NON-MEMBER $<?php echo $e_blast_events_noticeRecord['non_member_entry_fee'] ?> USING PAYPAL">
</form>

Hope that makes sense.

Thanks,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Attachments:

cloak4.php 3K

Re: [gkornbluth] Encrypted URLs

By Jason - August 6, 2012

Hi,

It might be easier to just encode the values directly through PHP without relying on javascript to do this after the fact.

Here is a function to encode:

function charEncodeString($string) {
$encodedString = "";

foreach (str_split($string, 1) as $char) {
$encodedString .= htmlspecialchars("&")."#".ord($char).";";
}

return $encodedString;
}


Hope this helps
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Encrypted URLs

Jason,

Thanks for looking at this.

Wouldn't this render the exposed $encodedString values in the source code, or am I missing something basic?

Jerry
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Encrypted URLs

By Jason - August 7, 2012

Hi Jerry,

It would, but in the first approach, people could see the hard coded javascript values in the source code as well.

Another approach would be to have no value at all on the page. If each button submitted a unique value, you could have it submit to a middle distribution page. There you could redirect them to a url based on the submitted value. Since this would all happen on the server side, nothing would be sent to the browser to be exposed in the source.

Hope this helps
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Encrypted URLs

Thanks Jason,

You're right, visitors could see the hard coded JavaScript values but at least casual prying eyes would be fooled.

I was hoping to come up with something along the lines of the spambot email plugin, but the interim page approach is an interesting, and much more secure thought.

I'll play with it and see what I can come up with.

I'm sure I'll have more questions as I get further.

If you, or anyone has come up with an encryption plugin, I'd like to hear more about it.

Again, thanks for adding your brain power to this.

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [Jason] Encrypted URLs

Hi Jason,

I knew I’d be back.

I’m trying to cobble together an implementation of your “intermediate page” suggestion but I'm not sure how to proceed. (I guess I don't understand the "no value" approach.)

So far, on my payment page I’m using links to the intermediate pages and then using the Javascript below on the intermediate pages to submit my forms on page load.

Maybe I’m not thinking clearly, but how can I protect the intermediate pages from prying eyes and still allow the submission of the form to take place, or how would I approach the other, and probably better "no value" suggestion?

Thanks,

Jerry Kornbluth

<form id="form1">
...
</form>

<script type="text/javascript">
function myfunc () {
var frm = document.getElementById("form1");
frm.submit();
}
window.onload = myfunc;
</script>
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [Jason] Encrypted URLs

Hi Jason,

I see where you're going now and will see what I can come up with.

Thanks,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [Jason] Encrypted URLs

HI Jason,

I got some time last night and this morning and set up some test intermediate pages and they work perfectly for URLs.

When I try to replace the different URL values with forms with some different variable in them, I’m stuck.

I’m pretty sure that it has something to do with the built in “redirectBrowserToURL” function, but I don’t know how to proceed.

Hope you’re willing to help.

Jerry Kornbluth

Here’s the code that I’m using so far:
<a href = "intermediate2.php?url=1">Click Here for link 1!</a><br />
<a href = "intermediate2.php?url=2">Click Here for link 2!</a><br />

etc...


And...
<!– I’d like to use something like this to submit the appropriate version of the form on page load (would I have to use a separate function for each value and change each of the form IDs?) –>
<script type="text/javascript">
function myfunc () {
var frm = document.getElementById("foo");
frm.submit();
}
window.onload = myfunc;
</script> –>

</head>
<body>

<!– These are some defined test variables (values 3-5 would have forms with other variables inserted) –>

<?php $ppea = $common_informationRecord['paypal_payment_e_mail_address']; ?>
<?php $rmda = $become_a_memberRecord['regular_member_dues_amount']; ?>
<?php $ret1 = "http://www.jkwebdesigns.com"; ?>

<?php $ppea2 = $common_informationRecord['paypal_payment_e_mail_address_2']; ?>
<?php $fmda = $become_a_memberRecord['founding_member_dues_amount']; ?>
<?php $ret2 = "http://www.interactivetools.com"; ?>

<?php
$value = @$_REQUEST['url'];

$url = "";

if ($value == 1) {
$url = "
&lt;form id='foo'
action= 'https://www.paypal.com/cgi-bin/webscr'&gt;
&lt;input type='hidden' name='cmd' value='_xclick'&gt;
&lt;input type='hidden' name='lc' value='US'&gt;
&lt;input type='hidden' name='cbt' value='founding member renewal'&gt;
&lt;input type='hidden' name='currency_code' value='USD'&gt;
&lt;input type='hidden' name='rm' value='1'&gt;
&lt;input type='hidden' name='cpp_header_image' value='http://www.artistsofpalmbeachcounty.org/images/apbcpp.jpg'&gt;
&lt;input type='hidden' name='business' value='&lt;?php echo $ppea1 ?&gt;'&gt;
&lt;input type='hidden' name='item_name' value='$&lt;?php echo $rmda ?&gt; - REGULAR MEMBER RENEWAL'&gt;
&lt;input type='hidden' name='amount' value='&lt;?php echo $rmda ?&gt;'&gt;
&lt;input type='hidden' name='no_shipping' value='1'&gt;
&lt;input type='hidden' name='no_note' value='1'&gt;
&lt;input type='hidden' name='return' value='&lt;?php echo $ret1 ?&gt;'&gt;
&lt;/form&gt;
";
}
elseif ($value == 2) {
$url = "
&lt;form id='foo'
action= 'https://www.paypal.com/cgi-bin/webscr'&gt;
&lt;input type='hidden' name='cmd' value='_xclick'&gt;
&lt;input type='hidden' name='lc' value='US'&gt;
&lt;input type='hidden' name='cbt' value='founding member renewal'&gt;
&lt;input type='hidden' name='currency_code' value='USD'&gt;
&lt;input type='hidden' name='rm' value='1'&gt;
&lt;input type='hidden' name='cpp_header_image' value='http://www.artistsofpalmbeachcounty.org/images/apbcpp.jpg'&gt;
&lt;input type='hidden' name='business' value='&lt;?php echo $ppea2 ?&gt;'&gt;
&lt;input type='hidden' name='item_name' value='$&lt;?php echo $fmda ?&gt; - FOUNDING MEMBER RENEWAL'&gt;
&lt;input type='hidden' name='amount' value='&lt;?php echo $fmda ?&gt;'&gt;
&lt;input type='hidden' name='no_shipping' value='1'&gt;
&lt;input type='hidden' name='no_note' value='1'&gt;
&lt;input type='hidden' name='return' value='&lt;?php echo $ret2 ?&gt;'&gt;
&lt;/form&gt;
";
}
elseif ($value == 3) {
$url = "http://www.site3.com";
}
elseif ($value == 4) {
$url = "http://www.site4.com";
}
elseif ($value == 5) {
$url = "http://www.site5.com";
}
if ($url) {
redirectBrowserToURL($url);
}
exit;

?>

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php