I have a very simple encryption class using tripleDES to encrypt the query string for a particular page on my site. I do this to prevent people page scraping sequentially based on our database IDs.
Anyhow, I’ve used
this encryption method
However, it includes 3d% and some other special characters that shouldn’t be in a query string and are rejected by Url Scan for security purposes. There is a = in the actual encrypted string that is generated. I don’t want to change URL scan, but I was wondering if there is a way to limit the encryption characters for the tripleDES crypto provider or something. I know next to nothing about encyrption and I’m really just obfuscating the query string, so I’m open to other options regarding my encryption of the query string.
The methods you have linked use Base64 encoding to convert the encrypted byte array – which could have all kinds of "non-printable" bytes in it – into a form that will only contain
A–Z,a–z,0–9,+,/and=.However, these last 3 are not suitable for URLs.
You could do a simple
String.Replaceon the Base64 string, replacing these characters with URL-safe characters, e.g.+=>-,/=>_and==>.. You can even drop the=off the end completely, as they are only padding characters. (Making the first two substitutions and dropping the=is suggested by RFC3548.)Then simply reverse this replacement when you want to decrypt your string. If you dropped the
=completely, add=until the length of the string is a multiple of 4.