This article was originally published on July 24, 2008.
On one of my current projects, I’ve found myself in need of passing sensitive data through a URL string. I could use an individual form for each link and pass it via POST, but I wanted to see what I might be able to do by way of encrypting the data. Turns out it’s quite easy.
We’re still running ColdFusion MX 6 here, so some of the newer functions are either crippled or nonexistent. Starting with MX 7, the Encrypt
function can handle several different encryption algorithms. I’m stuck with ColdFusion’s own algorithm, which isn’t nearly as secure as AES. However, after a little bit of research, I discovered that it’s actually quite easy to encrypt a variable in your querystring data.
This is a four-step process:
Encrypt
function. This takes two parameters – the string you’re encrypting, and the string you’re using as your logarithm.
Base64
so it can be used in your URL string, using the Base64 function. The Encrypt
function converts your string into a mess of special characters, many of which are invalid in a URL.
ToBinary
, ToString
, and Decrypt
functions.
Your final code will look something like this:
<!--- Encrypt String ---> <cfset Secret = 'Don''t tell anyone what this value is!'> <cfset TheKey = 'This is my secret key phrase! 5-6-7-8, who do we appreciate?'> <cfset Encrypted = Encrypt(Secret, TheKey)> <cfset Secret64 = ToBase64(Encrypted)> <!--- Decrypt String ---> <cfset UnlockedSecret = Decrypt(ToString(ToBinary(Secret64)), TheKey)>
Simple, huh? My encrypted values look something like JSQuTyoqWkwgCg==
. However, depending on what you’re encrypting (numbers, a phrase, an alphanumeric code, etc.), your obfuscated value might look quite a bit different.
While you certainly should use extreme caution with highly sensitive data like bank account or social security numbers, this is a pretty quick and dirty method of obfuscating data that can’t be passed via POST in your application.