PHP: Obfuscate Your Query Strings CodeUnit 19 OCT 2009

PHPIt is sometimes a good idea to obfuscate your query strings between web scripts, if only to prevent user URL tampering that could effect the outcome of your processing scripts, and if you don’t need particularly strong security (i.e. non reversible coded strings) then the following method could prove invaluable to you:

Firstly, replace your existing query string with a new singular string (I’ve named it ‘id’ for this demo’s sake). For easier processing, I suggest you fuse your query string into a single string, using an easily recognisable delimiter (like ‘||||’ in my example). Then, run what would have been your query string first through a base64_encode and then follow that up with a str_rot13 calculation to provide your ‘new’ obfuscated query string.

For example:
$url = ‘/submitting_page.php?id = ‘ . str_rot13(base64_encode(localhost/index.php||||aerdg6||||fastcars));

Then, on the processing side of the receiving page, you first run a str_rot13 calculation on the encoded query string variable, followed up with a base64_decode to get it back into it’s original state.

From this point on it is a simple matter of exploding the resulting decoded string using the delimiter you previously selected, resulting in a nice usable array of values to work with.

For example:
$querystring = base64_decode(str_rot13($_GET[‘id’]));
$querystrings = explode(‘||||’, $querystring);
$url = $querystrings[0];
$hash = $querystrings[1];
$table = $querystrings[2];


Related Posts:

About Craig Lotter

South African software architect and developer at Touchwork. Husband to a cupcake baker and father to two little girls. I don't have time for myself any more.