Encryption with a twist

One of the great things about working for a design company is that you are very focused in your day to day activities. With my previous employer I was a developer, administrator, sales & marketing, customer service and tech support. I wore many hats and never got to play with ColdFusion as much as I wanted to.

But all this has changed! The guys (and gal) on our design team are first rate and thanks to them I’m hardening my skills and picking up new tricks here and there.

One of these tricks involves the cfusion_encrypt() and cfusion_decrypt() functions. These two functions are undocumented and might not be available to users on shared hosting plans since they are part of the ColdFusion backend & management. So you’re forewarned to test before rushing out and deploying it on a production environment.

The reason cfusion_encrypt() and cfusion_decrypt() are unique and different from there documented encrypt() and decrypt() functions is because the resulting encrypted string will contain only letters and numbers. Therefore it’s ideal for URL’s and inserting data into a database, but not for passwords or other more sensitive information.

So do yourself a favor and don’t use these functions for really important data, like passwords, or private information. BUT they are great for encrypting your URL strings thereby hiding your variables and possibly preventing a SQL injection attack on your site.

To do this just follow this bit of code.

First you need to encrypt your URL string like so:

The above code will take the “show=userData&secretid=#secretid#&userid=#userID#” and encrypt it into a URL friendly string. The “MyPassw0rd” portion of this function is the key to locking and unlocking this string. Without this key I can’t unlock the encrypted string, and neither can anyone else.

Now when a user clicks on this link their URL should look something like:

http://www.example.com/index.cfml?pass=JLASW5UTHOUHIUGL9STIASLAV4ECLA91ATR6EMLAJLE37UQIET9AMLE6IEM9AGOE

Now since it’s encrypted you’ll need to decrypt the string and then make the variables something you can actually use.

For this we use the following bit of code:



a:: #listFirst(thisVar,'=')# = #listLast(thisVar,'=')#

The above code first sets our decrypted string to the variable “thisURLString”. Then we loop over this string, after it’s been decrypted, we reset the variables as local variables within our page. You could set these to any scoped variable you desire, such as URL, SESSION or even APPLICATION.

The idea here is to use this not for 100% application security but more as a hurdle for people to overcome and possibly prevent SQL Injection attacks. It’s also a great way to hide the inner workings of your site.

Enjoy and if you have a cool trick be sure to post it in the ColdFusion Forums here at SitePoint.com

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.ryanguill.com Rynoguill

    good deal. ive never heard of these functions before… where did you find them?

  • http://www.delyrical.com davidjmedlock

    These are undocumented functions that are used in the ColdFusion Administrator. If you search for “undocumented ColdFusion functions” on Google, you’ll turn up quite a few results… ;)

  • http://www.delyrical.com davidjmedlock

    Mark, here are a couple of articles by Forta that you may want to read:

    http://www.sys-con.com/coldfusion/article.cfm?id=500

    http://www.sys-con.com/coldfusion/article.cfm?id=589

    Needless to say, these undocumented features must be used with caution, as Ben points out…

  • MLM MAILING LISTS

    These are undocumented functions that are used in the ColdFusion Administrator. If you search for “undocumented ColdFusion functions” on Google, you’ll turn up quite a few results… ;)

  • innovatn

    Another way to use this method.

    I took the method above and used IP ADDRESS for the key. Now I can stop people from sharing URLs to sections of my site that are for paid subscribers. Thanks for the help!

  • Rassmass

    Damn, that’s really slick, what a great way to encode url parameters. Thanks

  • Daryl Lackey

    This is exactly what I’ve been looking for. Much easier and quicker to implement that using javascript. Thanks!

  • Brad

    SWEET!

  • Mike

    Great solution! You da man! I couldn’t find the articles that Forta about these functions though.

  • Mike

    Sorry it looks like I cant form complete sentences either.