One of the great things about working for a design company is that you are very focused in your day to day activities. With my previous employer I was a developer, administrator, sales & marketing, customer service and tech support. I wore many hats and never got to play with ColdFusion as much as I wanted to.
But all this has changed! The guys (and gal) on our design team are first rate and thanks to them I’m hardening my skills and picking up new tricks here and there.
One of these tricks involves the cfusion_encrypt() and cfusion_decrypt() functions. These two functions are undocumented and might not be available to users on shared hosting plans since they are part of the ColdFusion backend & management. So you’re forewarned to test before rushing out and deploying it on a production environment.
The reason cfusion_encrypt() and cfusion_decrypt() are unique and different from there documented encrypt() and decrypt() functions is because the resulting encrypted string will contain only letters and numbers. Therefore it’s ideal for URL’s and inserting data into a database, but not for passwords or other more sensitive information.
So do yourself a favor and don’t use these functions for really important data, like passwords, or private information. BUT they are great for encrypting your URL strings thereby hiding your variables and possibly preventing a SQL injection attack on your site.
To do this just follow this bit of code.
First you need to encrypt your URL string like so:
The above code will take the “show=userData&secretid=#secretid#&userid=#userID#” and encrypt it into a URL friendly string. The “MyPassw0rd” portion of this function is the key to locking and unlocking this string. Without this key I can’t unlock the encrypted string, and neither can anyone else.
Now when a user clicks on this link their URL should look something like:
http://www.example.com/index.cfml?pass=JLASW5UTHOUHIUGL9STIASLAV4ECLA91ATR6EMLAJLE37UQIET9AMLE6IEM9AGOE
Now since it’s encrypted you’ll need to decrypt the string and then make the variables something you can actually use.
For this we use the following bit of code:
The above code first sets our decrypted string to the variable “thisURLString”. Then we loop over this string, after it’s been decrypted, we reset the variables as local variables within our page. You could set these to any scoped variable you desire, such as URL, SESSION or even APPLICATION.
The idea here is to use this not for 100% application security but more as a hurdle for people to overcome and possibly prevent SQL Injection attacks. It’s also a great way to hide the inner workings of your site.
Enjoy and if you have a cool trick be sure to post it in the ColdFusion Forums here at SitePoint.com
good deal. ive never heard of these functions before… where did you find them?
July 8th, 2004 at 10:28 am
These are undocumented functions that are used in the ColdFusion Administrator. If you search for “undocumented ColdFusion functions” on Google, you’ll turn up quite a few results… ;)
July 8th, 2004 at 10:57 am
Mark, here are a couple of articles by Forta that you may want to read:
http://www.sys-con.com/coldfusion/article.cfm?id=500
http://www.sys-con.com/coldfusion/article.cfm?id=589
Needless to say, these undocumented features must be used with caution, as Ben points out…
July 8th, 2004 at 3:15 pm
These are undocumented functions that are used in the ColdFusion Administrator. If you search for “undocumented ColdFusion functions” on Google, you’ll turn up quite a few results… ;)
July 16th, 2004 at 5:10 am
Another way to use this method.
I took the method above and used IP ADDRESS for the key. Now I can stop people from sharing URLs to sections of my site that are for paid subscribers. Thanks for the help!
July 30th, 2004 at 6:32 pm
Damn, that’s really slick, what a great way to encode url parameters. Thanks
March 25th, 2005 at 7:08 pm
This is exactly what I’ve been looking for. Much easier and quicker to implement that using javascript. Thanks!
June 15th, 2005 at 3:38 pm
SWEET!
June 29th, 2005 at 2:09 pm
Great solution! You da man! I couldn’t find the articles that Forta about these functions though.
August 19th, 2006 at 11:37 am
Sorry it looks like I cant form complete sentences either.
August 19th, 2006 at 11:38 am