2. PHPRunner General questions
  3. [SOLVED]  hash an external link
This topic is locked
[SOLVED]

 hash an external link

 		9/15/2016 6:55:51 PM
PHPRunner General questions
mtpocket author

Hi,
How can I hash an external link?
I send an email from my view page & receive the email with the link "http://localhost:8085/clmain_view.php?editid1=1"; but I want it to be hash else I expose the rest of database.
This is an example I've come across below but I'm not amending a record, just a simple view record.
if ($_REQUEST["hash"])

{

CustomQuery("Update Table_1 SET Confirm='Yes' WHERE hash = '".addslashes($_REQUEST["hash"])."'";

header("Location: Thankyoupage.php");

}
& the link should look like example below.

http://test/view.php?hash=kjhd7sklf03kjsjd3md
Thanx

<img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=question&id=24178&image=1&table=forumtopics' class='bbc_emoticon' alt=':)' />
romaldus 9/15/2016



Hi,
How can I hash an external link?
I send an email from my view page & receive the email with the link "http://localhost:8085/clmain_view.php?editid1=1"; but I want it to be hash else I expose the rest of database.
This is an example I've come across below but I'm not amending a record, just a simple view record.
if ($_REQUEST["hash"])

{

CustomQuery("Update Table_1 SET Confirm='Yes' WHERE hash = '".addslashes($_REQUEST["hash"])."'";

header("Location: Thankyoupage.php");

}
& the link should look like example below.

http://test/view.php...7sklf03kjsjd3md
Thanx

<img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=80309&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' />


Encrypt URL Parameter requires some custom code and risky (not secure), unless you have a strong knowledge in cryptography.

The easiest solution, do not use integer (autonumber) as primary key. Use random string instead.

For example, set your ID field as varchar (60)
in event use the following code to generate 30 (or any length you want) random string:

function my_random_string($length=30)

{

$chars ="1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

$final_rand='';

for($i=0;$i<$length; $i++)

{

$final_rand .= $chars[ rand(0,strlen($chars)-1)];



}

return $final_rand;

}


and than,

$values["ID"] = my_random_string();


Sample result:

http://localhost:8085/clmain_view.php?editid1=hmF6R7Sij2AGQiE0gFdcpFyjLehsHY


If 30 random string is not enough, set to 40 or 50. It's almost imposible to predict
mtpocket author 9/16/2016

Thanx Romaldus will try later. <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=80311&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' />



Encrypt URL Parameter requires some custom code and risky (not secure), unless you have a strong knowledge in cryptography.

The easiest solution, do not use integer (autonumber) as primary key field. Use random string instead.

For example, set your ID field as varchar (60)
in event use the following code to generate 30 (or any length you want) random string:

function my_random_string($length=30)

{

$chars ="1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

$final_rand='';

for($i=0;$i<$length; $i++)

{

$final_rand .= $chars[ rand(0,strlen($chars)-1)];
}

return $final_rand;

}


and than,

$values["ID"] = my_random_string();


Sample result:

http://localhost:8085/clmain_view.php?editid1=hmF6R7Sij2AGQiE0gFdcpFyjLehsHY


If 30 random string is not enough, set to 40 or 50. It's almost imposible to predict
romaldus 9/16/2016



Thanx Romaldus will try later. <img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=80313&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' />


if you want to use my_random_string() function in more than one table, just put that function in global session like After Successfully Login or After application Initialized event
mtpocket author 9/17/2016

Hi Romaldus,
If this goes before record added.
function my_random_string($length=30)

{

$chars ="1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

$final_rand='';

for($i=0;$i<$length; $i++)

{

$final_rand .= $chars[ rand(0,strlen($chars)-1)];
}

return $final_rand;

}
Where would the below go?
$values["ID"] = my_random_string();
Thanks



if you want to use my_random_string() function in more than one table, just put that function in global session like After Successfully Login or After application Initialized event
romaldus 9/17/2016



Hi Romaldus,
If this goes before record added.
function my_random_string($length=30)

{

$chars ="1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

$final_rand='';

for($i=0;$i<$length; $i++)

{

$final_rand .= $chars[ rand(0,strlen($chars)-1)];
}

return $final_rand;

}
Where would the below go?
$values["ID"] = my_random_string();
Thanks


also in before record added event, just after my_random_string function
mtpocket author 9/19/2016

Thanks Romaldus, it worked like a charm.

<img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=80343&image=1&table=forumreplies' class='bbc_emoticon' alt=':)' />



also in before record added event, just after my_random_string function
mtpocket author 9/22/2016

Hi,
This code has hashed the record ID successfully and this is what the link displays,

localhost/CashBackupview.php?editid1=TNFwH5KO49uqlBjdsH1aN4S5haHvqS. This email link will be sent to external people (guests) to view the viewpage. By removing / changing some characters I can expose my entire list page as well. The link can change to localhost/CashBackuplist.php. How can I provide guest view permissions only?
My guest permissions I've set to List/View but would like view & not list.
Thanks

<img src='https://asprunner.com/forums/file.php?topicimage=1&fieldname=reply&id=80357&image=1&table=forumreplies' class='bbcemoticon' alt='<<' />
romaldus 9/22/2016



Hi,
This code has hashed the record ID successfully and this is what the link displays,

localhost/CashBackupview.php?editid1=TNFwH5KO49uqlBjdsH1aN4S5haHvqS. This email link will be sent to external people (guests) to view the viewpage. By removing / changing some characters I can expose my entire list page as well. The link can change to localhost/CashBackuplist.php. How can I provide guest view permissions only?
My guest permissions I've set to List/View but would like view & not list.
Thanks




Easy. For that purpose, you can create custom view in phprunner