Hiding the PHP url arguments

hey!

have you tried methods for hiding/encrypting email adresses in the source code?

steve

There are only two ways of passing info between page loads: GET and POST. From a link (as opposed to a form), you are limited to the GET query string, so you can't really cloak or hide it.

If you don't want the public to see the actual arguments, encode them then decode on the receiving page.

You can also use non-sensical keys and values that you 'decode' on the landing page: myurl.com/get.php?ab=awo30133&zzhti=alphie

What I do in these situations is I use my own little encryption technique.



$t = 1
$n = 2
$m = 3
$r = 4
$L = 5
$J = 6
$G = 7
$0 = 8
$p = 9
$s = 0

then you just parse like this.myurl.com/get.php?download=n&id=m

You can also use longer encryption such asmyurl.com/get.php?download=nm&id=mp

But, you also need a bit more code to convert the characters you are parseing but that is not hard to do.

Hope this helps.

If it's all on your site - why not send the info through in sessions instead? That way you show nothing. You also don't show any info on post - lot's of options.

Thank you everyone for your replies!

Hi you can use simple htaccess rewrite rules for this,

either use post, or pass the information along in a session.

problem with both of these issues, is they need to be sent to the page from the page that creates the session or posts.

another way would be to create a md5 sting that is unique to the user that has download access, then in the database link the string to the download information.

then your link would look like
myurl.com/get.php?download=d41d8cd98f00b204e9800998ecf8427e



then lookup in the database where download = d41d8cd98f00b204e9800998ecf8427e ( or whatever there random string is for that user and download)

then use that connection to pull from the database the download number and id #

it would be very difficult for someone to guess the random string.
then you could also set a limit,

say you allow them to download 3 times, each time that string is accessed you could increase the limit, by 1, once it hits 3 it no longer will download but give a error that the limit has been reached ( to prevent them sharing the url)

ex:

<?php
$download=$_GET[download];


$userdata="SELECT download,id,file,limit FROM downloads WHERE download='$download'";
$res=mysql_query($userdata) or die(mysql_error());;
$userinforow=mysql_fetch_array($res);
$string=$['download'];
$fid=$['id'];
$limit=$['limit'];
$file=$['file'];

if ($limit <= '3') {
if ($download == $string) {
file download here
}else{
echo 'sorry you have entered a invalid download string';
}
}else{
echo ' download limit has been reached for this file string';
}

?>



on the page that they access to either pay, or get the download like do something like this to generate a random string

function genRandomString() {
$length = 100;
$characters = ’0123456789abcdefghijklmnopqrstuvwxyz!@#$%^&* ()_+=-’;
$string = ”;
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, strlen($characters))];
}
return $string;
}

thin insert that string and download info to the database.


thats a crude implementation but should give you the idea

This is not how you do downloads. You want each customer to have a one time download link so it would be that link plus a one time token which is emailed to them when they request it from the member area.

This url will get passed around so quickly your head will spin.

No matter what the solution, this won't be a cut-and-paste method of implementing it. You'll need to understand programming methodologies to do this. It isn't too difficult, but it takes a bit of programming, as well as understanding of how the server works. The "one-time" download link is the right thing to do. You need something that is hashed together from a timestamp, a user id, and possibly an email, that is then added to a database after download to indicate that the link is no longer authorized.

The other possibility is to put the resource in a location that is not public, then relay the (binary) data from a PHP page or whatever (PHP pages can deliver way more than just HTML), but only if the user is properly authenticated. Users are quick to share links, but will hardly ever share their user accounts.

you need to use a framework that enable you to make the url rewriting. Also tuning the web server as apache you can rewrite the urls