Re: Simple URL encoding technique?

From:

=?ISO-8859-1?Q?Arne_Vajh=F8j?= <arne@vajhoej.dk>

Newsgroups:

comp.lang.java.programmer

Date:

Mon, 13 Nov 2006 20:24:29 -0500

Message-ID:

<45591ac7$0$49200$14726298@news.sunsite.dk>

David Segall wrote:

Arne Vajh?j <arne@vajhoej.dk> wrote:

David Segall wrote:

My JSP application asks users to visit a web site with a URL of the
form <www.example.com?column=100&row 0>. This makes it far too easy
for an intruder to derive a different column and row that may yield a
real location to which they should not have access. Is there an
existing method that can "obfuscate" (and de-obfuscate) the column and
row number. It is easy to concatenate the row and column numbers if
that is a desirable first step. I don't need a high level of security
because the there is nothing of real value at the destination; I just
want to foil a casual vandal.

1) you can left zero pad to 4 digits and concatanate 100 and 200
to "01000200", which you can then 3DES or AES encrypt with a
secret key and hexify - and dehexify and decrypt again

Thanks Arne. Hexify(column * 16384 + row) will do nicely. I don't
think I need the encryption. Is there a "standard" routine to convert
an integer to a hexadecimal string and back?

    int iv = 123;
    String sv2;
    sv2 = Integer.toHexString(iv);

and

    String sv = "7b";
    int iv2;
    iv2 = Integer.parseInt(sv, 16);

are two possibilities.

2) but you should really implement security instead of obscurity -
you should validate a users access to data when it is submitted

The application is comparable to "click on this link to confirm your
subscription". I don't want to inconvenience the user by requiring
extra information but I also want to minimise the possibility that one
user can derive valid parameters that belong to someone else.

Your app => your choice.

Arne