• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Detect if URL variable was changed

Participant ,
Jul 24, 2007 Jul 24, 2007

Copy link to clipboard

Copied

Hey all, I don't want to show the dynamic ID value in the URL string, so I am doing an encrypt() on the page with the link, and a decrypt() on the page showing the details.

I have this working; I only need help detecting if the user manipulated the URL string

The set-up:
APPLICATION.CFM
<cfset VARIABLES.algorithm = "AES">
<cfset VARIABLES.encoding = "hex">
<cfset VARIABLES.key = GenerateSecretKey(VARIABLES.algorithm)>
<cfset REQUEST.phrase = "454d5a4daSAASSDASD==_+Test">
I outputted VARIABLES.key to get the value which I hardcode for REQUEST.phrase. I then pass REQUEST.phrase in place of the "key" attribute in encrypt/decrypt. I am doing it this way because of an issue noted here: http://forums.hostmysite.com/about4161.html

PAGE1.CFM
<cfset VARIABLES.enc = Encrypt('#query.MAIN_ID#', REQUEST.phrase, VARIABLES.algorithm, VARIABLES.encoding)>
<pre>#REQUEST.phrase#</pre>
<a href="page2.cfm?LID=#VARIABLES.enc#">view</a>

PAGE2.CFM
<cfset dec = Decrypt('#URL.LID#', REQUEST.phrase, VARIABLES.algorithm, VARIABLES.encoding)>

On PAGE2.CFM, I do something like this:
<cfif isdefined("#URL.LID#") and URL.LID NEQ "">
<cfquery name="" datasource="">...</cfquery>
<cfelse>
OOOPPPPPPSSSS!!
</cfif>

What I'd like to do is have another check to see if the user changed the #URL.LID# value, if the user did then redirect them to the main page. Is that possible?

If I change the value in LID variable in the URL, I get this error message:
There has been an error while trying to encrypt or decrypt your input string: Given final block not properly padded.

I get that error because the "key" on first page is not same as the "key" on display page. Is there a way to have another check for this? Or, am I just wasting my time?
TOPICS
Advanced techniques

Views

297

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advisor ,
Jul 24, 2007 Jul 24, 2007

Copy link to clipboard

Copied

The exception is being thrown because you're instructing the server to decrypt a string that is not properly encrypted. Add a try/catch around the decryption statement. If decryption fails, then value of url.lid is not an encrypted string and you know it has been tampered with.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jul 24, 2007 Jul 24, 2007

Copy link to clipboard

Copied

LATEST
Hmmm, didn't think of doing that. Lemme test and will let you know. Thanks!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation