It’s a good application development
practice, to hide/encrypt Query String from the address bar, which help us to
prevent unauthorized use of URL variables. It’s also improving the application
security. (eg. Prevent SQL injection through URL tampering).
Here I’m going to implement Query
String encryption functionality. For that, I’m using following CF methods.
- encrypt()
- decrypt()
- urlEncodedFormat()
- urlDecode()
Code for encrypt the Query String
<cffunction name="urlEncryptEncode" output="false" access="public" returntype="String" hint="to get the
original url variable and values">
<cfargument name="strQueryString" type="string" required="yes" default="">
<cfscript>
var strEncrQueryString
= "";
try
{
/*Checking whether
the url string is empty or not*/
if(len(arguments.strQueryString))
{
/*Encrpting &
Encoding the the URL variables*/
strEncrQueryString
= urlEncodedFormat(encrypt(arguments.strQueryString,CLIENT.CFID));
}
}
catch(any ex)
{
writeDump(ex.detail);
}
return
strEncrQueryString;
</cfscript>
</cffunction>
|
The function
urlEncryptEncode will receive query string as the input parameter and
return encrypted query string as the result. Below are the steps involved in urlEncryptEncode().
Step
1 :
Encrypt the input string by using CLIENT.CFID as
the key.
Note : You need to activate client
management in application.cfc/application.cfm
Step
2 :
Format the encrypted query string into url encoded format, by using urlEncodedFormatI().
Step 3 : Return
the result.
Code for decrypt the Query String
<cffunction name="urlDecodeDecrypt" output="true" access="public" returntype="void" hint="to get the
original url variable and values">
<cfargument name="strQueryString" type="string" required="yes" default="">
<cfscript>
try
{
if(len(trim(arguments.strQueryString)))
{
structClear(url);
/*decode &
decrypt the encoded Query String */
local.strDecodedURL = decrypt(urlDecode(arguments.strQueryString),CLIENT.CFID);
local.arrayDecodedURL =
listToArray(local.strDecodedURL,"&");
for(intIndex = 1;intIndex lte arrayLen(local.arrayDecodedURL);intIndex
= intIndex + 1)
{
/*if URL variable
has vale*/
if(listLen(local.arrayDecodedURL[intIndex],"=") eq 2)
{
structInsert(URL,listGetAt(local.arrayDecodedURL[intIndex],1,"="),listGetAt(local.arrayDecodedURL[intIndex],2,"="),true);
}
else
{
structInsert(URL,listGetAt(local.arrayDecodedURL[intIndex],1,"="),"",true);
}
}
}
}
catch(any ex)
{
writeDump(ex.detail);
}
</cfscript>
|
The function
urlDecodeDecrypt will receive encrypted query string as the input
parameter. Instead of return the result, it will directly out put the result to
the calling page. urlDecodeDecrypt () perform the opposite functionality of urlEncryptEncode ().Below are the steps involved
in urlDecodeDecrypt ().
Step 1 :
Clear the URL structure
Step 2 :
Decode the encrypted query string, by using urlDecode()
Step 3 :
Decrypt the decoded string by using CLIENT.CFID as the key.
Now we got the original query string, and
going to assign it to URL structure
Step 4 : Convert the query string list to
an array.
Step 5 : Loop over the array, treat each array element as a list with ‘=’
as the delimiter .
Step 6 : Insert the array elements to URL
structure as a key value pair.
No comments:
Post a Comment