Disguising Variables Passed in URL's

This method creates security through obscurity and minimises the amount of system infomation that a potential attacker can gather through any variables passed in url's.

The basic idea is to pass a single variable that is created by joining multiple variables together in a way that is easily reversable but unique to your code.

Lets suppose you have two variables that need to be passed in a url: variable $a and variable $b. We can join them both together and pass as a single variable, as long as one of the these variables has a fixed charater length we know what is what, otherwise a seperation character will need to be introduced.

As an example lets say that variable $a is a customer id and variable $b is a random security code to stop an attacker guessing a customers id and accessing their account. The security code has been set at 10 characters in length, so throttling wrong url requests should also be considered to slow down any brute force attacks.

Variable Concatenation

$security_id_first_5 = '12345';
$security_id_last_5 = 'abcde';
$customer_id = 1111;
$url['z'] = $security_id_first_5 . $customer_id . $security_id_last_5;

Variable Separation

$input['url_parameter'] = $_GET['z'];
$input['security_id'] = substr($input['url_parameter'], 0, 5) . substr($input['url_parameter'], -5);
$input['customer_id'] = substr(substr($input['url_parameter'], 5), 0, -5);

27 Old Gloucester Street, London, WC1N 3AX - Tel: 020 7112 8799 - Fax: 020 7112 8558
Copyright © XYZ Directories - All Rights Reserved