Forum Discussion

GiuseppeMacri's avatar
GiuseppeMacri
Qrew Captain
6 years ago

Replace record ID with other RNG based field for URL hacking

Hi,

The long and short of it is, i'd like to obfusticate the RID portion of a URL for an edit record with something a little more random. 

The purpose is to stop random searching of records via URL hacking where the user could change the &rid= portion of the URL. However, in my app, i have enabled EOTI users to "Save" their progress on a form, which would email them a link to edit the record they were just editing. 

So essentially, i was wondering if i could make a different reference in the URL which is harder to guess than RID



------------------------------
GMacri
------------------------------
  • am idiot, forgot about &key=[Field to generate random text]

    ------------------------------
    GMacri
    ------------------------------
  • Hi GMarci!

    You may have already answered your own question, but I had a client with a similar need when exposing their application to EOTI. Along with generating a random 'key' number for them to use to resume progress on their record I also obfuscated the RID by converting it to the r=format that uses numbers and letters through the use of the formula function QB32Encode.

    So where you may have a URL formula such as:

    URLRoot() & "db/" & [_dbid_table] & "?a=dr&rid=" & [Record ID#]
    with a result of https://<name>.quickbase.com/db/<dbid>?a=dr&rid=1

    The new URL fomula would be as follows: 

    URLRoot() & "db/" & [_dbid_table] & "?a=dr&r=" & QB32Encode( [Record ID#])
    with a result of https://<name>.quickbase.com/db/<dbid>?a=dr&r=b


    This type of encoding is much harder to break as it is not incremental.

    Let me know if this was helpful đź‘Ť
    –Sharon



    ------------------------------
    Sharon Faust (QuickBaseJunkie.com)
    Founder, Quick Base Junkie
    https://quickbasejunkie.com
    ------------------------------
    • GiuseppeMacri's avatar
      GiuseppeMacri
      Qrew Captain

      Thats awesome, that's pretty much what iw as looking for.

       

      Giuseppe Macri

      Business Integration Coordinator | ConferMed

      19 Grand St., Middletown, CT 06457

      Phone: (860) 347-6971 x3762  

      Email  : Macrig@chc1.com

      www.ConferMed.com

       


      This message originates from Community Health Center, Inc.. The information contained in this message may be privileged and confidential. If you are the intended recipient you must maintain this message in a secure and confidential manner. If you are not the intended recipient, please notify the sender immediately and delete all copies of this message. Thank you.



      ------Original Message------

      Hi GMarci!

      You may have already answered your own question, but I had a client with a similar need when exposing their application to EOTI. Along with generating a random 'key' number for them to use to resume progress on their record I also obfuscated the RID by converting it to the r=format that uses numbers and letters through the use of the formula function QB32Encode.

      So where you may have a URL formula such as:

      URLRoot() & "db/" & [_dbid_table] & "?a=dr&rid=" & [Record ID#]
      with a result of https://<name>.quickbase.com/db/<dbid>?a=dr&rid=1

      The new URL fomula would be as follows: 

      URLRoot() & "db/" & [_dbid_table] & "?a=dr&r=" & QB32Encode( [Record ID#])
      with a result of https://<name>.quickbase.com/db/<dbid>?a=dr&r=b


      This type of encoding is much harder to break as it is not incremental.

      Let me know if this was helpful đź‘Ť
      –Sharon



      ------------------------------
      Sharon Faust (QuickBaseJunkie.com)
      Founder, Quick Base Junkie
      https://quickbasejunkie.com
      ------------------------------