Discussions

How best can I obfuscate/encrypt URL query parameters that are passed to a code page on our database?

  • 1.  How best can I obfuscate/encrypt URL query parameters that are passed to a code page on our database?

    Posted 05-29-2019 17:58
    Hi all!

    I was asked to develop an app that can present records associated with a particular user in a printable 8.5x11" worksheet-style form. As of now, I accomplish this with a URL button field that links to a code page with a "?userEmail=abcde@email.com" tacked onto the end. My javascript code takes the email from the URL, inserts it into an API_DoQuery, and uses the results to populate the worksheet.

    My question is: what's the best way I can keep a user from changing the URL to see somebody else's records? My initial thought was to change the URL parameter and base64 encode the email to get something more like "?x=YWJjZGVAZW1haWwuY29t" which is probably obfuscated enough considering that most of the users wouldn't be savvy or interested enough to figure out how to look at other people's records.

    Honestly none of the records contain terribly sensitive information. Simple base64 obfuscation would probably serve fine. But maybe one of you has a more secure method of accomplishing this outcome! Maybe using an application variable as a key? I don't know but I'm interested in finding out.

    Thanks in advance for the help!