If I have a website and the URL is www.example.com/mainpage.cfm?id=0123&app=2, how can I hide the id=0123 and app=2 so the user won't be able to change these variables?
I am looking at a complex program written by someone before me and he is passing these variables from page to page through the URL. I am just looking for a quick fix because I don't want to rewrite this entire program.
Here is how you encode it:
#URLEncodedFormat(Encrypt(id, "#key#"))#
The id is the variable, and the key can be anything (used as a certificate to encode and decode).
To Decode:
cfset url.id = #Decrypt(url.id, "#key#")#
Again the key variable would be the same variable as the one to encode.
How about using the hashids library. http://www.hashids.org/coldfusion/
In addition to ColdFusion, the library is available in JavaScript, Ruby, Python, Java, PHP, Perl, CoffeeScript, Objective-C, C++, Go, Lua, Elixir, Node.js and .NET. This makes it extremely easy to use with other languages and even dynamically generate IDs on the client-side.
<cfscript>
hashids = new Hashids(salt="this is my salt"
,minLen=8
,alphabet="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890");
id_to_hash = listtoArray("1"); // try "1,2,3" and "3,2,1" and "1,1,1"
writeoutput('original = #arrayToList(id_to_hash)#<br>');
hashed_id = hashids.encrypt(id_to_hash);
writeoutput('hash = #hashed_id#<br>');
unhashed_id = arraytolist(hashids.decrypt(hashed_id));
writeoutput('unhashed = #unhashed_id#<br>');
</cfscript>
What is the problem with people changing the ID?
Certainly, they may find themselves on pages that don't exist, and you need to do some cfif generic catching to prevent errors, whether your pages are stored as files associated to the numbers or as files in a database.
You could make keys for pages that were otherwise nonsensical, like just a straight hash with simple salting of the number (like hash("1blueplug") becomes a79ea61e3b69d54a008772bcaf0fb398. Store the hash in the database or as filenames or whatever. Since they won't know your salt (blueplug here), they have no real way to get to pages they shouldn't be.
I wouldn't be bothered by my users changing the parameter on my website and disrupting their own experience. Pages should have necessary checking like to make sure that a form was really submitted.
Beyond that, what sort of pages are they able to access that's doing more harm than disrupting their own experience? If the pages they're accessing are some sort of security concern (administrative or other users' pages), it's time to consider a new application.
Here is a quick and dirty way to do it, I learned this once a long time ago, but the original web page that described it was taken down. So from memory here it about the same thing:
<cfset email = "test@myemail.com">
<cfset algorithmkey = "typeanythingdoesnotmatter123">
<cfoutput>#email#</cfoutput><br>
<cfset test = #encrypt(email, algorithmkey, "CFMX_COMPAT", "HEX")#>
<cfoutput>#test#</cfoutput><br>
<cfset emailagain = #decrypt(test, algorithmkey, "CFMX_COMPAT", "HEX")#>
<cfoutput>#emailagain#</cfoutput><br>
If you save the above into a CFM template you'll get the following output:
test@myemail.com
650CEDC7328BA59A21980793329A73F6
test@myemail.com
Unless the person attempting to hack the value knows your algorithmkey = "typeanythingdoesnotmatter123" it will be hard to decipher the value and thus replace with anything that would work in it's place for those fishing around for id's or something from other accounts.
I think I found a better solution.
Using (CGI.SERVER_NAME, CGI.HTTP_REFERER, 1) lets me know if anything in the url has changed. I can apply this as follows:
<cfif FindNoCase(CGI.SERVER_NAME, CGI.HTTP_REFERER, 1) eq 0>
<cfabort>
<cfelse> enter code here...
</cfif>
来源:https://stackoverflow.com/questions/25207759/hide-encrypt-url-variables-in-coldfusion