Home/ Questions/Q 4034208
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T11:56:36+00:00

I am passing $_GET[]; variables in a link but want to encrypt the values

  • 0

I am passing $_GET[]; variables in a link but want to encrypt the values in the url. I would normally use sessions but since I am not using a form and just a url what are my options. I am sure there is someway to exploit this method so I am trying to make it as secure as possible.

Below is my code:

$cost = "152.00";
<a href="registration.php?class=Spanish&age=4-6&time=3pm&cost=<?echo $cost; ?>">

and registration.php looks like

<?
$class = $_GET[class];
$age = $_GET[age];
$time = $_GET[time];
$cost = $_GET[cost];
?>

If I could use something like md5 to encode the values and then decode them on registration.php that would be good or if there is a way to pass $_session variables using <a> that would be good.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Is the page you’re linking to on the same site as the site you’re making the link from?

    If so, why not stick them in $_SESSION? This way, they’re stored on the server, where the user can never think of manipulating them.

    Another option is not actually encrypting the data, but signing it using an HMAC. If you’re using a modern version of PHP, you can use hash_hmac. On the link creation side:

    $validate = serialize(array( $class, $age, $time, $cost ));
$hmac = hash_hmac('sha1', $validate, 'secret key goes here');
$link = 'foo.php?...&validate=' . $hmac;

    … and on the other side:

    $validate = serialize(array( $_GET['class'], $_GET['age'], $_GET['time'], $_GET['cost'] ));
$hmac = hash_hmac('sha1', $validate, 'secret key goes here');
if($hmac != $_GET['validate']) {
    echo "No hacking!";
    exit;
}

    You should actually use this technique for option #3, which is: use POST, i.e. a form. This will deter casual users from changing the data.

    Option #4 is the best: storing all that sensitive data server-side to begin with, and referring to it by a unique identifier that the user sees. This keeps the data out of the user’s hands to begin with, meaning you never need to worry about the user tampering with it.

    • 0