Encryption with a twist

By | July 7, 2004 | ColdFusion

10
  • Print
  • Print

One of the great things about working for a design company is that you are very focused in your day to day activities. With my previous employer I was a developer, administrator, sales & marketing, customer service and tech support. I wore many hats and never got to play with ColdFusion as much as I wanted to.

But all this has changed! The guys (and gal) on our design team are first rate and thanks to them I’m hardening my skills and picking up new tricks here and there.

One of these tricks involves the cfusion_encrypt() and cfusion_decrypt() functions. These two functions are undocumented and might not be available to users on shared hosting plans since they are part of the ColdFusion backend & management. So you’re forewarned to test before rushing out and deploying it on a production environment.

The reason cfusion_encrypt() and cfusion_decrypt() are unique and different from there documented encrypt() and decrypt() functions is because the resulting encrypted string will contain only letters and numbers. Therefore it’s ideal for URL’s and inserting data into a database, but not for passwords or other more sensitive information.

So do yourself a favor and don’t use these functions for really important data, like passwords, or private information. BUT they are great for encrypting your URL strings thereby hiding your variables and possibly preventing a SQL injection attack on your site.

To do this just follow this bit of code.

First you need to encrypt your URL string like so:

The above code will take the “show=userData&secretid=#secretid#&userid=#userID#” and encrypt it into a URL friendly string. The “MyPassw0rd” portion of this function is the key to locking and unlocking this string. Without this key I can’t unlock the encrypted string, and neither can anyone else.

Now when a user clicks on this link their URL should look something like:

http://www.example.com/index.cfml?pass=JLASW5UTHOUHIUGL9STIASLAV4ECLA91ATR6EMLAJLE37UQIET9AMLE6IEM9AGOE

Now since it’s encrypted you’ll need to decrypt the string and then make the variables something you can actually use.

For this we use the following bit of code:

a:: #listFirst(thisVar,'=')# = #listLast(thisVar,'=')#

The above code first sets our decrypted string to the variable “thisURLString”. Then we loop over this string, after it’s been decrypted, we reset the variables as local variables within our page. You could set these to any scoped variable you desire, such as URL, SESSION or even APPLICATION.

The idea here is to use this not for 100% application security but more as a hurdle for people to overcome and possibly prevent SQL Injection attacks. It’s also a great way to hide the inner workings of your site.

Enjoy and if you have a cool trick be sure to post it in the ColdFusion Forums here at SitePoint.com

Written By:

Eric Jones

Eric is an avid ColdFusion developer and gamer who currently occupies a desk in Atlanta GA where is is a Senior Application Developer and lead developer for a new Open Source CMS. Eric also sits on the Board of Directors for his local CFUG.

Website
>> More Posts By Eric Jones

 

{ 10 comments }

Mike August 19, 2006 at 11:38 am

Sorry it looks like I cant form complete sentences either.

Mike August 19, 2006 at 11:37 am

Great solution! You da man! I couldn’t find the articles that Forta about these functions though.

Brad June 29, 2005 at 2:09 pm

SWEET!

Daryl Lackey June 15, 2005 at 3:38 pm

This is exactly what I’ve been looking for. Much easier and quicker to implement that using javascript. Thanks!

Rassmass March 25, 2005 at 7:08 pm

Damn, that’s really slick, what a great way to encode url parameters. Thanks

innovatn July 30, 2004 at 6:32 pm

Another way to use this method.

I took the method above and used IP ADDRESS for the key. Now I can stop people from sharing URLs to sections of my site that are for paid subscribers. Thanks for the help!

MLM MAILING LISTS July 16, 2004 at 5:10 am

These are undocumented functions that are used in the ColdFusion Administrator. If you search for “undocumented ColdFusion functions” on Google, you’ll turn up quite a few results… ;)

davidjmedlock July 8, 2004 at 3:15 pm

Mark, here are a couple of articles by Forta that you may want to read:

http://www.sys-con.com/coldfusion/article.cfm?id=500

http://www.sys-con.com/coldfusion/article.cfm?id=589

Needless to say, these undocumented features must be used with caution, as Ben points out…

davidjmedlock July 8, 2004 at 10:57 am

These are undocumented functions that are used in the ColdFusion Administrator. If you search for “undocumented ColdFusion functions” on Google, you’ll turn up quite a few results… ;)

Rynoguill July 8, 2004 at 10:28 am

good deal. ive never heard of these functions before… where did you find them?

Comments on this entry are closed.