PHP: Obfuscate Your Query Strings

It is sometimes a good idea to obfuscate your query strings between web scripts, if only to prevent user URL tampering that could effect the outcome of your processing scripts, and if you don’t need particularly strong security (i.e. non reversible coded strings) then the following method could prove invaluable to you:

Firstly, replace your existing query string with a new singular string (I’ve named it ‘id’ for this demo’s sake). For easier processing, I suggest you fuse your query string into a single string, using an easily recognisable delimiter (like ‘||||’ in my example). Then, run what would have been your query string first through a base64_encode and then follow that up with a str_rot13 calculation to provide your ‘new’ obfuscated query string.

For example:
$url = ‘/submitting_page.php?id = ‘ . str_rot13(base64_encode(localhost/index.php||||aerdg6||||fastcars));

Then, on the processing side of the receiving page, you first run a str_rot13 calculation on the encoded query string variable, followed up with a base64_decode to get it back into it’s original state.

From this point on it is a simple matter of exploding the resulting decoded string using the delimiter you previously selected, resulting in a nice usable array of values to work with.

For example:
$querystring = base64_decode(str_rot13($_GET['id']));
$querystrings = explode(‘||||’, $querystring);
$url = $querystrings[0];
$hash = $querystrings[1];
$table = $querystrings[2];

Nifty.