how to encrypt variables passing

Question

I have some php code like following lines of code when clicking on the image it goes to different departments.

Departments.php?DepartmentsID=6?&CampusID=1 

which shows in url when click on it.

How I can easily encrpt it so that it doesnot show in url same is the case with downloading some file.

download.php?filename=abc.pdf?

how i can disable or encrpt the code so that i didn't show up in url.

thanks

---

want to hide varibles that as passing through html link

Answer 1

as far as I understand you want to pass some kind of token as the link and not something readable like the filename or an id to your site to handle the request. (the user only sees tokens and nothing else)

so clicking on a link gives you something like Departments.php?action=907fgash6f8906a6asf6g...

If you want something like that you would need some kind of database to store your tokens so your code knows what to do on a given token.

Or you could use actual encryption which you would have to decrypt and of course keep your key hidden and secure.

I don't understand why you need to do all this. If you can give more insight on why you want to do this there might be a better solution

Answer 2

In your PHP form change or set the method as method = "POST".

Answer 3

You're using the URI as a GET parameter which is where you are receiving such complications. You can choose a more MVC related method to approach this:

www.example.com/6/1

The above example represents the Department ID as 6 and the Campus ID as 1 using a router. I suggest using AltoRouter.

$router = new AltoRouter();
$router->map('GET|POST', '/[i:d]/[i:c]', function($department, $campus) {
    echo "Department $department on Campus $campus.";
    // Add your code logic
}, 'Name of route');
$router_match = $router->match();
if($router_match && is_callable($router_match['target'])) {
    call_user_func_array($router_match['target'], $router_match['params']);
    exit();
}
// Some 404 stuff.

This can be used for mutli-mapping meaning you can change the download link to whatever you like, for example just unique file ID's that the end user must know to access it and on top of that, it could be a RBAC file before the download so only X users can download / view certain topics.

Answer 4

This repeats some of the info answered by others:

1. use POST, this only removes the ability to read the data in query URL but is still in clear text.

2. Ensure SSL is enabled for transport encryption

3. Use encryption at the message layer, the actual text itself can be encrypted if you so desire

4. Extra note, if the data is that sensitive and is stored at REST say in a DB, you may want to encrypt it there as well.

Basically "defense in depth" is the approach, there is never a silver bullet