I have a very simple encryption class using tripleDES to encrypt the query string for a particular page on my site. I do this to prevent people page scraping sequentially based on our database IDs.
Anyhow, I've used this encryption method
However, it includes 3d%
and some other special characters
that shouldn't be in a query string and are rejected by Url Scan for security purposes. There is a =
in the actual encrypted string that is generated. I don't want to change URL scan, but I was wondering if there is a way to limit the encryption characters for the tripleDES crypto provider
or something. I know next to nothing about encyrption and I'm really just obfuscating the query string, so I'm open to other options regarding my encryption of the query string.
The methods you have linked use Base64 encoding to convert the encrypted byte array - which could have all kinds of "non-printable" bytes in it - into a form that will only contain A
-Z
, a
-z
, 0
-9
, +
, /
and =
.
However, these last 3 are not suitable for URLs.
You could do a simple String.Replace
on the Base64 string, replacing these characters with URL-safe characters, e.g. +
=> -
, /
=> _
and =
=> .
. You can even drop the =
off the end completely, as they are only padding characters. (Making the first two substitutions and dropping the =
is suggested by RFC3548.)
Then simply reverse this replacement when you want to decrypt your string. If you dropped the =
completely, add =
until the length of the string is a multiple of 4.
You shouldn't mess with crypto if you don't know what you're doing (and even if you do). Instead, use the crypto as is, and UrlEncode the result.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With