Disguising/encrypting a querystring variable

[D. Shane Fowlkes]

I'm trying to come up with a simple approach to disguise or encrypt a
querystring variable . The variable is a record ID. To my surprise, I'm
not having much luck finding a solution. I've been to www.asp.net and
googled some and wasn't able to come up with a simple and realistic
solution.

I have a master page that lists records and then a details page pulls
detailed data from tables in the database. The page needs details page must
have a QS variable passed to it like "details.aspx?id=100". The master page
is populated based upon who is viewing it so therefore, not everyone will
see the same list. What I'm trying to prevent is having someone simply
replace the variable in the querystring with another one and view someone
else's detailed data.

I simply want to disguise the variable on the sending page to anything like
"details.aspx?id=ahiyne090793097hjkd" and then be able to "uncode" it or
read it on the receiving page. Make sense?

It's there a fairly simple and effective solution to doing this? Anything
that I've found out there just seemed to involve tons of custom class
writing (beyond me) and a lot of overkill. It doesn't need to be super
secure.....just disguised.

TIA

 

[Mark Fitzpatrick]

There's a great article with code written that can help handle this. Check
out:
http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik

I've found it works veyr nicely.

Hope this helps,
Mark Fitzpatrick
Microsoft MVP - FrontPage

 

[Random]

Why don't you create a couple of global functions for your application
(doesn't need to involve a custom class or anything) that you call to
encrypt and decrypt the ID as needed? You'd decide on and implement your
encryption scheme within these functions.

Another way, albeit a little more complicated, would be to hash the ID value
and store it as a secondary key within the database.

 

[Hans Kesting]

I'm trying to come up with a simple approach to disguise or encrypt a
querystring variable . The variable is a record ID. To my surprise,
I'm not having much luck finding a solution. I've been to
www.asp.net and googled some and wasn't able to come up with a simple
and realistic solution.

I have a master page that lists records and then a details page pulls
detailed data from tables in the database. The page needs details
page must have a QS variable passed to it like "details.aspx?id=100".
The master page is populated based upon who is viewing it so
therefore, not everyone will see the same list. What I'm trying to
prevent is having someone simply replace the variable in the
querystring with another one and view someone else's detailed data.

I simply want to disguise the variable on the sending page to
anything like "details.aspx?id=ahiyne090793097hjkd" and then be able
to "uncode" it or read it on the receiving page. Make sense?

It's there a fairly simple and effective solution to doing this?
Anything that I've found out there just seemed to involve tons of
custom class writing (beyond me) and a lot of overkill. It doesn't
need to be super secure.....just disguised.

TIA

You could try to use a guid (uniqueidentifier in sqlserver) instead of
an autonumber id. Then the "hackers" can't just "add 1" and hope
to get a real id.

Hans Kesting

 

[D. Shane Fowlkes]

Great. Thanks! Is this in C#? I'm used to VB.NET so the syntax looks a
little off to me. I'll do my best to convert it and try it out. I may be
back on Monday for more help. =)

 

[Joe Fallon]

Why not forget about using a QS?
Just create a session variable on Page1 and pull it out on Page2.