{"__v":1,"_id":"55097a3add77250d007369f6","category":{"__v":16,"_id":"550974cc368a56170041475b","project":"55070e814bb83b2500ec9404","version":"550974cb368a561700414757","pages":["55097808ad1f0523008ecbca","550979624c7c3f2300aabf01","5509797daa9bd525001a0656","550979a0aa9bd525001a0658","550979ba4c7c3f2300aabf03","550979e6dd77250d007369f2","55097a02dd77250d007369f4","55097a0fad1f0523008ecbce","55097a1baa9bd525001a065a","55097a212dd6a11900e6e7b0","55097a28ad1f0523008ecbd0","55097a304c7c3f2300aabf05","55097a3add77250d007369f6","55097a402dd6a11900e6e7b2","55097a6fdd77250d007369f8","55097a77ad1f0523008ecbd2"],"reference":false,"createdAt":"2015-03-18T11:08:22.079Z","from_sync":false,"order":2,"slug":"handling-requests-with-controllers","title":"Handling Requests with Controllers"},"project":"55070e814bb83b2500ec9404","user":"55070d24d30b3f190011b941","version":{"__v":1,"_id":"550974cb368a561700414757","forked_from":"55070e814bb83b2500ec9407","project":"55070e814bb83b2500ec9404","createdAt":"2015-03-18T12:51:23.709Z","releaseDate":"2015-03-18T12:51:23.709Z","categories":["550974cc368a561700414758","550974cc368a561700414759","550974cc368a56170041475a","550974cc368a56170041475b","550974cc368a56170041475c","550974cc368a56170041475d","550974cc368a56170041475e"],"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.4.0","version":"1.4"},"updates":[],"createdAt":"2015-03-18T13:14:34.022Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"auth":"required","params":[],"url":""},"order":12,"body":"[block:callout]\n{\n  \"type\": \"danger\",\n  \"title\": \"Check\",\n  \"body\": \"Is this still correct in 1.3x onwards?\"\n}\n[/block]\nThe Wheels convention of using an auto-incrementing integer value as the primary key in your database tables will lead to a lot of URLs on your website exposing this value. Using the built-in URL obfuscation functionality in Wheels, you can hide this value from nosy users.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"What URL Obfuscation Does\"\n}\n[/block]\nWhen URL obfuscation is turned off (which is the default setting in Wheels), this is how a lot of your URLs will end up looking:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"http://localhost/user/profile/99\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nHere, `99` is the primary key value of a record in your users table.\n\nAfter enabling URL obfuscation, this is how those URLs will look instead:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"http://localhost/user/profile/b7ab9a50\",\n      \"language\": \"text\"\n    }\n  ]\n}\n[/block]\nThe value `99` has now been obfuscated by Wheels to `b7ab9a50`. This makes it harder for nosy users to substitute the value to see how many records are in your users table, to name just one example.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"How to Use It\"\n}\n[/block]\nTo turn on URL obfuscation, all you have to do is call `set(obfuscateURLs=true)` in the `config/settings.cfm` file.\n\nOnce you do that, Wheels will handle everything else. Obviously, the main things Wheels does is obfuscate the primary key value when using the [linkTo()](doc:linkto) function and deobfuscate it on the receiving end. Wheels will also obfuscate all other params sent in to [linkTo()](doc:linkto) as well as any value in a form sent using a get request.\n\nIn some circumstances, you will need to obfuscate and deobfuscate values yourself if you link to pages without using the [linkTo()](doc:linkto) function, for example. In these cases, you can use the `obfuscateParam()` and `deObfuscateParam()` functions to do the job for you.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Is This Really Secure?\"\n}\n[/block]\nNo, this is not meant to add a high level of security to your application. It just obfuscates the values, making casual observation harder. It does not encrypt values, so keep that in mind when using this approach.","excerpt":"Hide your primary key values from nosy users.","slug":"obfuscating-urls","type":"basic","title":"Obfuscating URLs"}

Obfuscating URLs

Hide your primary key values from nosy users.

[block:callout] { "type": "danger", "title": "Check", "body": "Is this still correct in 1.3x onwards?" } [/block] The Wheels convention of using an auto-incrementing integer value as the primary key in your database tables will lead to a lot of URLs on your website exposing this value. Using the built-in URL obfuscation functionality in Wheels, you can hide this value from nosy users. [block:api-header] { "type": "basic", "title": "What URL Obfuscation Does" } [/block] When URL obfuscation is turned off (which is the default setting in Wheels), this is how a lot of your URLs will end up looking: [block:code] { "codes": [ { "code": "http://localhost/user/profile/99", "language": "text" } ] } [/block] Here, `99` is the primary key value of a record in your users table. After enabling URL obfuscation, this is how those URLs will look instead: [block:code] { "codes": [ { "code": "http://localhost/user/profile/b7ab9a50", "language": "text" } ] } [/block] The value `99` has now been obfuscated by Wheels to `b7ab9a50`. This makes it harder for nosy users to substitute the value to see how many records are in your users table, to name just one example. [block:api-header] { "type": "basic", "title": "How to Use It" } [/block] To turn on URL obfuscation, all you have to do is call `set(obfuscateURLs=true)` in the `config/settings.cfm` file. Once you do that, Wheels will handle everything else. Obviously, the main things Wheels does is obfuscate the primary key value when using the [linkTo()](doc:linkto) function and deobfuscate it on the receiving end. Wheels will also obfuscate all other params sent in to [linkTo()](doc:linkto) as well as any value in a form sent using a get request. In some circumstances, you will need to obfuscate and deobfuscate values yourself if you link to pages without using the [linkTo()](doc:linkto) function, for example. In these cases, you can use the `obfuscateParam()` and `deObfuscateParam()` functions to do the job for you. [block:api-header] { "type": "basic", "title": "Is This Really Secure?" } [/block] No, this is not meant to add a high level of security to your application. It just obfuscates the values, making casual observation harder. It does not encrypt values, so keep that in mind when using this approach.