How to obscure the parameter of a url - 【StackMirror】|php|magento

I have urls being generated with a simple integer on the site that allows the user to see past orders.

http://site.com/order_id/145323

The problem is that it is very easy to just change that number and then view other peoples orders. I am wondering what would be an easy way to encode this number in the url and then have the php decode it so it can run the controller? It does not have to be super secure, juse something that makes it not so easy for someone to just change the number to see the data. I tried doing something like :

order_id/<?php echo base64_encode($theOrder); ?>

and then in the controller action I tried :

if($orderId = (int) $this->getRequest()->getParam('order_id') && Mage::getSingleton('customer/session')->isLoggedIn()){         
        $orderId = (int) $this->getRequest()->getParam('order_id'); 
        $orderId = base64_decode($orderId); 
        $order = Mage::getModel('sales/order')->load($orderId);
        Mage::register('current_order', $order);
        $this->loadLayout();
        $this->renderLayout();
    }

but this doesnt work. What would be a good way to obscure this parameter in the url ?

php
magento

2012-04-04 22:56
by Zac

Agree with PeeHaa, and also wanted to add that base64 isn't much of a obscuring. Most semi-techy people can recognise a base64 string (the '=' padding at the end in 2/3 of cases is the usual give away) - Matthew Scharley 2012-04-04 23:00

I understand this isnt a great solution and easy to hack, but better than what is there now. I would do PeeHaas solution if I knew how but I dont have any idea where to begin to run a check like that and I need to get a temporary fix up quickly - Zac 2012-04-04 23:03

Other than being sort of high level wrong, your approach seems like it would accomplish what you want. Why doesn't it work - Alan Storm 2012-04-05 01:17

Hi Alan, yes I am embarrassed by my solution. I was in a pinch. I got it to work but I am trying to figure out a better way - Zac 2012-04-05 02:26

You're doing it wrong. Instead of trying to obscure the id you just have to make sure (check on the backend) that the id belongs to the user.

And if the id doesn't belong to that user return a status code of either 403 Forbidden or simply 404 Not Found.

2012-04-04 22:57
by PeeHaa

Yes that would be better but I am looking for a band-aid fix until I upgrade the site. I am not sure how I would go about checking if the id belongs to the customer - Zac 2012-04-04 23:01

IMHO your band-aid solution isn't a solution, but rather a problem. You are already keeping track of what orders belong to what orders "I have urls being generated with a simple integer on the site that allows the user to see past orders". So a simple query to match the two would fix it - PeeHaa 2012-04-04 23:04

Surely if its about people and orders, you will have a users table or datastore, when the random url is parsed, check if that order number belongs to the currently logged in user, if it does, allow the data, if not, return 'unauthorised, please login'

EDIT

I'm not sure what you're system entails, but running on pure assumption, this may be useful...

I'm assuming the USER makes the order. So I'm also assuming that there is an ORDERS table, where all the orders are stored and fetched from.

In the ORDERS table, you should store the user that made the order, say

USERS table
----------
user_id, username, password, full name, dob, etc

ORDERS table
----------
order_id, order_type, quantity, date_ordered, user_id

therefore you can use an SQL query to get the user associated with the order.

Something like SELECT username FROM users JOIN orders ON users.user_id = orders.uder_id

then check the returned username against the currently logged in user.

I'm sorry if i'm insulting your intelligence, but i'm not sure exactly what you're after!

2012-04-04 23:58
by AlexMorley-Finch

Sure, I figured out how to make my hacky encoding work but i would like to pursue a better way to do this as you all suggest. Any links I can read up on or examples would be much appreciated - Zac 2012-04-05 00:13

As others have said, the best way to fix this is to amend the way you're accessing the data, and put in a check that the order number from the request is linked to the user that's trying to access it.

But if you need a very quick fix, you can do a check to see if the request's HTTP_REFERER is set. If it's set, and it points back to a page on your site, then you can be reasonably sure that this is a legitimate request. If a user has modified the URL by amending the order number, the HTTP_REFERER will be empty.

It's not a perfect solution, but it'll definitely stop people being able to browse orders they shouldn't.

2012-04-05 18:05
by andrewsi