Access control in web applications. What you need to
do is check that the user is authorized to access the data you're going
to show on a page, before allowing them to see that data. This
basically comes down to access control: you want controls that limit
which users can view which data, based upon some authorization policy.
It sounds like you have a sequence of pages, one for each agent:
http://www.example.com/agent/?producerId=12345
http://www.example.com/agent/?producerId=12346
http://www.example.com/agent/?producerId=12347
...
where the producerIds (agentIds) are potentially guessable or predictable. You want to ensure that agent 12345 can view
http://www.example.com/agent/?producerId=12345
but not any of the other pages. OK.
This is a bog-standard situation, and the bog-standard defense is: access control.
To implement access control, you code the web application so that
each page checks whether the user is authorized to view that page before
allowing the user to view that page. For instance, for the page listed
above, the logic implementing that page would check the identity of the
currently-logged in user. If the id of the logged-in user matches the
producerId of the page parameter, then you show them the information.
If the id does not match, you do not show them the information: if it is
some other user, you show them an error page (with information about
how to get access), or if the user has not logged in yet, you redirect
them to a login page.
Here is the way for solved problem in my solution
$id=1234;
$en_id = encrypString( $id);
Then create the url like
https://www.example.com/show_order.php?id=$en_id
The url will look like
https://www.example.com/show_order.php?id=9muEYh4lShFDeCnXqoNpxucs
The functions for crypt and decrypt are
function encrypString($plaintext) {
# --- ENCRYPTION ---
$key = pack('H*', "bcb04b7e103a0cd8b54763051cef08bc55abe
029fdebae5e1d417e2ffb2a00a3");//change this
# show key size use either 16, 24 or 32 byte keys for AES-128, 192
# and 256 respectively
$key_size = strlen($key);
//echo "Key size: " . $key_size . "\n";
# create a random IV to use with CBC encoding
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);
# creates a cipher text compatible with AES (Rijndael block size = 128)
# to keep the text confidential
# only suitable for encoded input that never ends with value 00h
# (because of default zero padding)
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key,
$plaintext, MCRYPT_MODE_CBC, $iv);
# prepend the IV for it to be available for decryption
$ciphertext = $iv . $ciphertext;
# encode the resulting cipher text so it can be represented by a string
$ciphertext_base64 = base64_encode($ciphertext);
return rawurlencode($ciphertext_base64);//important rawurlencode
// for + symbol in url
}
function
decryptString($ciphertext_base64) {
# --- DECRYPTION ---
$key = pack('H*', "bcb04b7e103a0cd8b54763051cef
08bc55abe029fdebae5e1d417e2ffb2a00a3");//change this
# show key size use either 16, 24 or 32 byte keys for AES-128, 192
# and 256 respectively
$key_size = strlen($key);
//echo "Key size: " . $key_size . "\n";
# create a random IV to use with CBC encoding
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM);
$ciphertext_dec = base64_decode($ciphertext_base64);
# retrieves the IV, iv_size should be created using mcrypt_get_iv_size()
$iv_dec = substr($ciphertext_dec, 0, $iv_size);
# retrieves the cipher text (everything except the $iv_size in the front)
$ciphertext_dec = substr($ciphertext_dec, $iv_size);
# may remove 00h valued characters from end of plain text
$plaintext_dec = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key,
$ciphertext_dec, MCRYPT_MODE_CBC, $iv_dec);
return rawurldecode($plaintext_dec);
}
Cr:https://security.stackexchange.com/questions/17259/better-techniques-than-url-parameter-encryption