Here is my question, i am trying to hide address value in URL
URL is something like this
example.com/linkdl/preview/index.php?address='http://mysiteexample.com'
I am trying to hide, ?address='http://mysiteexample.com' part, but i am not sure, what is best way
i have an idea to use base64_encode($adresa), but i am not sure will i have problems with (encoding/decoding special) characters in URL
$click = 'OtvoriProzor("'.$file_path.'&pk='.$sesija->pk.'&adresa='.base64_encode($adresa).
'&IDIstorijaElement='.$element->GetId().'", "Prevod", 700, 500);';
This is very insecure, can add some function for encryption, to encrypt and decrypt parametar, or will md5 help me here. Also should i use function url_decode url_decode instead?
Since md5 is a hash algorithm, you won't be able to get back what you encoded.
You can use base64 and urlencode to avoid problems with some characters:
<?php
$url = urlencode(base64_encode($adresa));
?>
And you will decode it with:
<?php
$addr = base64_decode(urldecode($_GET['adresa']));
?>
Related
I have been using URL decode on encoded URL variables from $_get.
The current problem I am facing is I have a URL encoded like this:
blah.php?url=http%3A%2F%2Fm.youtube.com%2F#/watch?feature=player_embedded&v=zd7c5tQCs1I&desktop_uri=%2Fwatch%3Fv%3Dzd7c5tQCs1I%26feature%3Dplayer_embedded
I'm not sure what kind of encoding this is, can someone help me? When I use just "urldecode" on this it just returns m.youtube.com
Edit: My problem is not that url decode isn't working, it works if I manually enter this encoded URL and use urldecode(), but when this encoded url is in the actual pages url and I use the _GET function then I try to decode it it stripes off everything after the "#" in the URL.
<?php print urldecode($_GET["url"]);?>
It returns
"http://m.youtube.com/"
instead of
"http://m.youtube.com/#/watch?feature=player_embedded&v=zd7c5tQCs1I&desktop_uri=/watch?v=zd7c5tQCs1I&feature=player_embedded"
I think the issue is that the pound sign is not encoded, if I refresh the page it strips away the pound sing and everything after it, so how do I get around this? Can I still retrieve the info from "GET" even though there is a pound sign? (#)
The problem is that the full link has multiple = signs, and browser cant determine, that the other = signs refer just to the url= parameter.
in your case, at first, you need to use function before link is given to url= parameter:
========================= 1) JAVASCRIPT ======================
<script type="text/javascript">
var mylink = encodeURIComponent('http://testest.com/link.php?name=sta&car=saab');
document.write("http://yoursite.com/url=" + mylink);
</script>
========================= 2)or PHP ===========================
<?php
$mylink = 'http://testest.com/link.php?name=sta&car=saab';
echo 'http://yoursite.com/url='.urlencode($mylink);
?>
so, your output (url parameter) will get like this
http://yoursite.com/url=http%3A%2F%2Ftest.com%2Flink.php%3Fname%3Dsta%
so, the url parameter will get the encoded url.
after that, your .php file needs to decode that "url" parameter-
<?php
$varr = $_GET['url'];
$varr = preg_replace("/%u([0-9a-f]{3,4})/i","&#x\\1;",urldecode($varr));
$varr = html_entity_decode($varr,null,'UTF-8');
echo $varr;
?>
that will give you the correct value
I read on php.net about urldecode function and they say that superglobal $_get is already decoded, ex: "The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results."
It is encoded into ASCII format .
see http://www.w3schools.com/tags/ref_urlencode.asp
So here is the problem, the pound sign (#) (Hash) wasn't encoded... since I can't go back and re-encode it I have to use javascript (ex. alert(window.location.hash);) to send me the full URL after the hash then I append it to PHP's version of the URL, I THEN use a find and replace function in PHP to replace the "#" with "%23", then I use the urldecode method and it returns the full proper url decoded.
This encoding is called percent encoding or URL encoding. You can use urldecode for decoding it. (Example: http://phpfiddle.org/lite/code/0nj-198 )
I know this is possible and I researched it in many websites, but didn't find anything that could do exactly what I need.
I need to encode and store two parameters in URL and then retrieve it with $_GET method.
The parameters are not sensitive data. My purpose is mainly to obfuscate it, so the visitors can't read it without website accessing.
I have something like this:
site.com/?name=john&food=banana%20split
and I need it to become something like this:
site.com/g57HT90dw8lC5p
How can I do this? Thanks.
(Sorry for my bad english)
EDIT: I should explain it a bit more.
I know I'll have to use mod_rewrite and I got that part covered;
The second parameter is a complete sentence (with spaces, punctuation, etc.);
I need this to create a Christmas Card, so none of these parameters require secure methods. What I really need to store is just a name and a simple message.
This is wrong approach - you said it is not sensitive so you better fix your code it will not be hacked if someone send you crafted data. Obfuscating prevents average users from doing changes but noone skilled be fooled by this. Also many browsers GET is limited (so can be configured PHP and server) so this may hit the wall sooner than you want. But if you insist you want this approach, you can put all variables into json_array, and then encode using base64.
$myData = array('foo'=>1, 'bar'=>'hax0r');
$arg = base64_encode( json_encode($myData) );
http://site.com/secret=$arg
and back:
$myData = json_decode( base64_decode( $_GET['secret'] ) );
But again - this is wrong by design.
Append the two string values together; then use some encoding function like str_rot13 or whatever
You could just uuencode it.
On create
$converted = convert_uuencode('?name=john&food=banana');
// 6/VYA;64]:F]H;B9F;V]D/6)A;F%N80``
And on decoding
$query = $_SERVER['QUERY_STRING'];
// 6/VYA;64]:F]H;B9F;V]D/6)A;F%N80``
$real = convert_uudecode($query);
// ?name=john&food=banana
The point of uuencoding is to make data safe for network transmissions. It does not provide protection, but it will make them something else than clear text.
Try these PHP functions convert_uuencode and convert_uudecode
It is much safer than using only base64
function encrypt_decrypt ($data, $encrypt) {
if ($encrypt == true) {
$output = base64_encode (convert_uuencode ($data));
} else {
$output = convert_uudecode (base64_decode ($data));
}
return $output;
}
$enc_txt = encrypt_decrypt ("name=john&food=banana%20split", true);
echo $enc_txt."\n";
// PTtGJU05M1VKO1ZBTilGOU87VjBdOEYlTjg2WUEpMyhQPFchTDo3MGAKYAo=
echo encrypt_decrypt ($enc_txt, false);
// name=john&food=banana%20split
Look at PHPs Doc Base64Encode . just encode the string, and decode it when reading the query.
I'm trying to figure out a way to program a function that will de-obfuscate a plain text url.
Something like this:
<input type="hidden" value="kjgajkwe##jktGAkjgWjkajskd" name="obsfucatedString" />
Then in the processing of that form I want to De-Obsfucate it:
$url = deObfuscate($_POST['obsfucatedString']);
so $url would become something like:
$url = 'http://domain.com/filename.zip';
Is something like that even possible?
I'm trying to hide the url from plain programmer sight.
I guess I would need to write something that would obsfucate the string as well
so
$obsfucatedStringURL = obsfucate('http://domain.com/filename.zip');
Encrypt the URL with a password stored on the server (a good algorithm to use is AES), then decrypt it when you need to obtain the value. A problem with this is that the encrypted string will not be composed of printable characters. To get around this, use base64_encode() to convert the binary encoded string to printable characters that can be added as a value in the <input> field, then use base64_decode() to get back the original value on the server.
There are many ways of encoding and reversing a plain text string. An simple way to obfuscate your string is by using the str_rot13 function once to encode and once again to decode (note: this will not give you any cryptographic security). I'd suggest encrypting using AES using a secret stored on the server to encrypt and decrypt. The following thread's answer defines functions for encrypting/decrypting that you can use.
PHP AES encrypt / decrypt
Another approach that might be worth considering vs. obfuscation is to store the URL server side as part of the user's session or persisted in a database. Then instead of sending an obfuscated string down, use a key that performs a lookup to retrieve the URL.
For example, I would like to:
require('encrypted.php')
"encrypted.php" contains php code that was encrypted with base64, and I have the key to decrypt it. Is there a way to first decrypt the file and then just load the decrypted code into PHP?
The first way that jumps to mind is:
eval("?".">".base64_decode(file_get_contents("encrypted.php"))."<"."?php");
However that's probably not a good idea (evil eval).
Why have you encrypted a PHP file anyway? Nobody can see the source code unless you mess around with things.
You would need to load the file's contents with file_get_contents() or similar, then call base64_decode() on it and eval() it as PHP. Only do this if you are certain of the contents of the file and you trust its source.
// Only do this is the file is trusted!!!
$phpcode = base64_decode(file_get_contents("trusted_encoded_file.php"));
eval($phpcode);
Note: See #Kolink's implementation if the encoded file contains <?php ?> open/close tags.
you don't need any key to decode base64 data , use base64_decode().
It is not professional solution, but take look at this : http://www.zend.com/en/products/guard/
i have script
<?php
$to = $_GET["to"];
header("Location: $to");
?>
if i call script such
out.php?to=http://site.ru/page.php?param1=1¶m2=2
in param $to be only http://site.ru/page.php?param1=1&
how to fix? i want that $to = http://site.ru/page.php?param1=1¶m2=2
You can escape the URL at the site calling out.php:
Go to $to
& is a reserved character in an URI. When you access this URL, ¶m2=2
is interpreted as belonging to the current URL and not to the value of to.
If you want to transmit it literally, you have to encode it with %26:
http://site.ru/page.php?param1=1%26param2=2
Most programming languages provide a function to do so. (e.g. JavaScript, PHP). The best thing is to encode the whole URL.
$to must be urlencoded, but note that you giving a redirect script to anyone, so, any phisher can use it.
So, it would be better to store urls in the database and pass only an identifier.
try encoding the to URL in base64 and then in the example that u have shown decode it before you pass it to the header :)
urlencode it
urlencode($to)
I ran into the same problem before, this is what I did:
$arr=explode('?to=',$_SERVER['REQUEST_URI'],2);
$new_to=$arr[1];
Now you can use the $new_to variable.
Of course if you're using this for production environment, I would recommend encoding the url as the other answers advised. I was using it for testing curl script. getting the variable this way has lots of flaws, so be careful.
You can use a Function called "html_entity_decode"
Click Here for more information about this function
or use md5 function to encrypt the URL and then decrypt it when you put it into a varriable.
I hope this can help you