Encryption with a twist

Eric Jones
Eric Jones

One of the great things about working for a design company is that you are very focused in your day to day activities. With my previous employer I was a developer, administrator, sales & marketing, customer service and tech support. I wore many hats and never got to play with ColdFusion as much as I wanted to.

But all this has changed! The guys (and gal) on our design team are first rate and thanks to them I’m hardening my skills and picking up new tricks here and there.

One of these tricks involves the cfusion_encrypt() and cfusion_decrypt() functions. These two functions are undocumented and might not be available to users on shared hosting plans since they are part of the ColdFusion backend & management. So you’re forewarned to test before rushing out and deploying it on a production environment.

The reason cfusion_encrypt() and cfusion_decrypt() are unique and different from there documented encrypt() and decrypt() functions is because the resulting encrypted string will contain only letters and numbers. Therefore it’s ideal for URL’s and inserting data into a database, but not for passwords or other more sensitive information.

So do yourself a favor and don’t use these functions for really important data, like passwords, or private information. BUT they are great for encrypting your URL strings thereby hiding your variables and possibly preventing a SQL injection attack on your site.

To do this just follow this bit of code.

First you need to encrypt your URL string like so:

The above code will take the “show=userData&secretid=#secretid#&userid=#userID#” and encrypt it into a URL friendly string. The “MyPassw0rd” portion of this function is the key to locking and unlocking this string. Without this key I can’t unlock the encrypted string, and neither can anyone else.

Now when a user clicks on this link their URL should look something like:


Now since it’s encrypted you’ll need to decrypt the string and then make the variables something you can actually use.

For this we use the following bit of code:

a:: #listFirst(thisVar,'=')# = #listLast(thisVar,'=')#

The above code first sets our decrypted string to the variable “thisURLString”. Then we loop over this string, after it’s been decrypted, we reset the variables as local variables within our page. You could set these to any scoped variable you desire, such as URL, SESSION or even APPLICATION.

The idea here is to use this not for 100% application security but more as a hurdle for people to overcome and possibly prevent SQL Injection attacks. It’s also a great way to hide the inner workings of your site.

Enjoy and if you have a cool trick be sure to post it in the ColdFusion Forums here at SitePoint.com