Discussions

 View Only
  • 1.  Replace record ID with other RNG based field for URL hacking

    Posted 12-30-2019 09:20
    Edited by Giuseppe Macri 12-30-2019 10:35
    Hi,

    The long and short of it is, i'd like to obfusticate the RID portion of a URL for an edit record with something a little more random. 

    The purpose is to stop random searching of records via URL hacking where the user could change the &rid= portion of the URL. However, in my app, i have enabled EOTI users to "Save" their progress on a form, which would email them a link to edit the record they were just editing. 

    So essentially, i was wondering if i could make a different reference in the URL which is harder to guess than RID



    ------------------------------
    GMacri
    ------------------------------


  • 2.  RE: Replace record ID with other RNG based field for URL hacking

    Posted 12-30-2019 11:29
    am idiot, forgot about &key=[Field to generate random text]

    ------------------------------
    GMacri
    ------------------------------



  • 3.  RE: Replace record ID with other RNG based field for URL hacking

    Posted 01-01-2020 18:39
    Hi GMarci!

    You may have already answered your own question, but I had a client with a similar need when exposing their application to EOTI. Along with generating a random 'key' number for them to use to resume progress on their record I also obfuscated the RID by converting it to the r=format that uses numbers and letters through the use of the formula function QB32Encode.

    So where you may have a URL formula such as:

    URLRoot() & "db/" & [_dbid_table] & "?a=dr&rid=" & [Record ID#]
    with a result of https://<name>.quickbase.com/db/<dbid>?a=dr&rid=1

    The new URL fomula would be as follows: 

    URLRoot() & "db/" & [_dbid_table] & "?a=dr&r=" & QB32Encode( [Record ID#])
    with a result of https://<name>.quickbase.com/db/<dbid>?a=dr&r=b


    This type of encoding is much harder to break as it is not incremental.

    Let me know if this was helpful 👍
    –Sharon



    ------------------------------
    Sharon Faust (QuickBaseJunkie.com)
    Founder, Quick Base Junkie
    https://quickbasejunkie.com
    ------------------------------



  • 4.  RE: Replace record ID with other RNG based field for URL hacking

    Posted 01-02-2020 08:20

    Thats awesome, that's pretty much what iw as looking for.

     

    Giuseppe Macri

    Business Integration Coordinator | ConferMed

    19 Grand St., Middletown, CT 06457

    Phone: (860) 347-6971 x3762  

    Email  : Macrig@chc1.com

    www.ConferMed.com

    logo-confermed-tagline-tm

     


    This message originates from Community Health Center, Inc.. The information contained in this message may be privileged and confidential. If you are the intended recipient you must maintain this message in a secure and confidential manner. If you are not the intended recipient, please notify the sender immediately and delete all copies of this message. Thank you.