Date:  04/15/2006 05:43:51 PM Msg ID:  002924
From:  Joe Goldsmith Thread:  002918
Subject:  Re: Remove QueryString
Nice idea. I'll give it a try. Here also is something I came up with that others may find useful.
 
I am building a shopping cart for a retail business. )Shopping carts are not for the faint of heart.) The biggest problem I had to fix was what was showing up in the browser's address bar using a querystring. Because useful information was showing up it might allow a hacker into places he or she should not go. And, the information showing up in the browser may compromise the paying visitor. To get around what was in the address bar I created an intermediate program that used SetVar then called the page with a redirect. Once on the new page I did a Getvar to get the vars I needed. Once the vars were placed in a private var I removed the session var. The intermediate program also called a redirect program to encode the path beyond the domain. This worked great and the paying visitor is protected. Here is an example:
 
PRODUCTLIST.FWX (user chooses a product to add to cart)
*Note: this url passes two parameters, item id and the name of the script where I intend to go.
<a href="securecart.fwx?itemID=<%=(IID)%>&page=tocart.fwx">
 
SECURECART.FWX
*Line 1 checks to make sure that the request comes from my domain and not a hacker
IF LEFT(Request.ServerVariables('HTTP_REFERER'),23) = "http://www.mydomain.com"
   * The next two lines gets the querystring parameters passed by securecart.fwx 
   lcitemID=ALLTRIM(Request.QueryString("itemID"))
   lcpage=ALLTRIM(Request.QueryString("page"))
   *The next two lines sets the session vars 
   Session.SetVar('itemID',lcitemD)
   Session.SetVar('page',lcpage)
   * The next line calls the intended page using redirect.fwx that encodes the page name
   * and calles the intended page
   Response.Redirect('redirect.fwx?REDIRECTURL=(lcpage))
Endif
 
TOCART.FWX (lcPage from above)
   * In the called page I get the session var and place it in a private var
   * I then remove the session var so that a page refresh does not cause a
   * second or third item to be placed in the cart.
   M.ITEMID = Session.GetVar('itemID')
   SESSION.REMOVE('itemID')
   IF LEN(Session.GetVar('itemID')) <> 0
      ...finish the rest of the script
   ENDIF
 
The net result is that private information is passed without showing up in the browser's address bar such as:
 
http://www.mydomain.com/%61%64%64%74%6F%63%61%72%74.%66%77%78
 
And, if the browser is refreshed I'm not adding another instance of the last product item last added to the cart. BTW, here is the code for redirect.fwx that encrypts the called script name. I think all of this also keeps hackers from getting to my scripts and intercepting private information.
 
<%
LOCAL lcURL, llURL, lcParam, lcQuestion, lcLen
lcURL = ""
llURL = ""
lcParam = ""
lcQuestion = ""
lcLen = 0
lcRedirect = Request.QueryString('REDIRECTURL')
lcQuestion = AT("?",lcRedirect)
IF lcQuestion > 0
 lcLen = LEN(lcRedirect)
 lcURL = SUBSTR(lcRedirect, 1, lcQuestion-1)
 lcParam = RIGHT(lcRedirect, lcLen-lcQuestion+1)
ELSE
 lcURL = lcRedirect
 lcParam = ""
ENDIF
lcURL = StrTran(lcURL,"A", "%41")
lcURL = StrTran(lcURL,"B", "%42")
lcURL = StrTran(lcURL,"C", "%43")
lcURL = StrTran(lcURL,"D", "%44")
lcURL = StrTran(lcURL,"E", "%45")
lcURL = StrTran(lcURL,"F", "%46")
lcURL = StrTran(lcURL,"H", "%48")
lcURL = StrTran(lcURL,"I", "%49")
lcURL = StrTran(lcURL,"K", "%4B")
lcURL = StrTran(lcURL,"M", "%4D")
lcURL = StrTran(lcURL,"N", "%4E")
lcURL = StrTran(lcURL,"R", "%52")
lcURL = StrTran(lcURL,"S", "%53")
lcURL = StrTran(lcURL,"T", "%54")
lcURL = StrTran(lcURL,"U", "%55")
lcURL = StrTran(lcURL,"a", "%61")
lcURL = StrTran(lcURL,"b", "%62")
lcURL = StrTran(lcURL,"c", "%63")
lcURL = StrTran(lcURL,"d", "%64")
lcURL = StrTran(lcURL,"e", "%65")
lcURL = StrTran(lcURL,"f", "%66")
lcURL = StrTran(lcURL,"h", "%68")
lcURL = StrTran(lcURL,"i", "%69")
lcURL = StrTran(lcURL,"k", "%6B")
lcURL = StrTran(lcURL,"m", "%6D")
lcURL = StrTran(lcURL,"n", "%6E")
lcURL = StrTran(lcURL,"o", "%6F")
lcURL = StrTran(lcURL,"p", "%70")
lcURL = StrTran(lcURL,"r", "%72")
lcURL = StrTran(lcURL,"s", "%73")
lcURL = StrTran(lcURL,"t", "%74")
lcURL = StrTran(lcURL,"u", "%75")
lcURL = StrTran(lcURL,"v", "%76")
lcURL = StrTran(lcURL,"w", "%77")
lcURL = StrTran(lcURL,"x", "%78")
IF LEN(lcParam) = 0
 Response.Redirect(lcURL)
ELSE
 lcURL = lcURL+lcParam
 Response.Redirect(lcURL)
ENDIF
%>
 
If anyone has a question just send me an email - joe@goldestates.com
 
Joe