开发者

Encode URL and hide confidential information

开发者 https://www.devze.com 2023-01-08 02:03 出处:网络
How do I encode a URL or hide confidential information from being displayed in the browser? For example, I have the following link:

How do I encode a URL or hide confidential information from being displayed in the browser?

For example, I have the following link:

开发者_JAVA技巧<a href="path/profileId/<?php echo $this->data['profile_id'];?>Edit</a>

I don't want profileId to be displayed in the browser.

Is there any function or method in Zend or PHP to accomplish this task? I am newbie in Zend so I have no idea if there is even a template which provide such functionality.


I suppose you will need the ID in some form or another on the /path/profileId/ page, otherwise you won't know which profile to display, right? If that's the case, it's impossible to completely hide it.
You could use a POST request instead of a GET request so the ID won't show up in the URL, but it'll still be visible in the HTML and the request body if you know where to look.

The real question is, why is a profile_id confidential to begin with? If somebody is able to do something bad just by knowing an identifier, your system has a huge problem.


You could of cause encrypt the information before sending it and decrypt it on the receiving end, but that seems pretty nonsensical. The typical way would be to simply pass tokens that are by themselves worthless, but allow you to resolve the real data on the backend. The prime example of this is a Session, another is passing the ID of a record and retrieving the related record, including confidential information, from the database.


You can use obfuscation for it. XOR the ID befor echo it out, XOR it back when handling the GET request.

But you should have access controls anyways, is this user allowed to open this link ?

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号