Re: Encrypted URL

["David Wall @ Yozons, Inc." <dwall () yozons com>]

> other handlers like modphp, and vice-versa. I though that this is anyway a
> good way to prevent a lot of webapps parameter attacks,
> but the better protection stills being use good programming practices. =]

I've not been following this thread closely, but that last comment is
critical in my opinion.  Parameters in URLs typically shouldn't contain
sensitive information (if they need to, then encrypting the params is
required) and checking the validity of all URL requests is critical.  After
all, it's possible your own program is creating invalid parameter values
from time to time, so being encrypted shouldn't be mistaken to mean it's
valid (you can encrypt a virus, for example, and the virus is still a
problem once it's decrypted again), so it makes more sense to program
defensively WHENEVER it comes to receiving data from an external source.
The largest security hole in all applications is their failure to check
parameters as they enter an application's domain.  So, encrypting to keep
sensitive information from prying eyes is wise, but it shouldn't be used to
imply that the data within is valid.  For one thing, applications do change
over time, so a valid URL one day may not be valid after an upgrade.

David