Re: URL Sensitve DATA $_GET
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.lang.php archive

Re: URL Sensitve DATA $_GET

From: Alvaro G Vicario <alvaro_QUITAR_REMOVE@telecomputeronline.com>
Date: Mon Jul 04 2005 - 12:13:55 CEST



*** Angelos wrote/escribió (Fri, 1 Jul 2005 15:13:34 +0000 (UTC)):


> www.mysite.com/BusinessThing/content_list.php?contCat=files&action=list


> &path=/home/sites/site42/web/User_Files/images



If you script is going to deliver any file in the disk that's requested by


user, no matter where it is, I don't think any obfuscation technique you


use will be secure enough.



If your script will only deliver files in directories inside


/home/sites/site42/web/User_Files/ then you don't need to show such sentive


info to the user. You could simply pass a unique ID to tell the script it


should fetch the file from the images subdirectory. Script should already


know what its parent dir is so it doesn't need to be told about it:



www.mysite.com/BusinessThing/content_list.php?contCat=files&action=list&path=images



There's nothing in such URL you should care about. If you still want to


hide it from user, just base64_encode() it (for instance).



-- 
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--


Received on Mon Oct 17 21:01:56 2005