parameters in querystring obfuscation

Post Author: DalePres

CA Forum: Formula

I have an application that calls Crystal Enterprise Server (I think that's the name of it) to generate reports. One of the Crystal reports contains sensitive data in the parameters that show up in the querystring of the user's browser. The querystring for the report is always displayed to the user in the browser. Even if we turn off the address bar, etc., the querystring can still be obtained by a curious user.

The problem really is how can we disguise or encrypt the sensitive parameter data before requesting the report? If there is an easier way than any of the below, that would be the best solution. Otherwise, here's how I have considered solving the problem:

First, will Crystal recognize the supplied parameters if submitted in a POST (as in the form) instead of GET (or querystring)? While not completely secure, that would at least prevent the sensitive data from being "in the face" of the user.

The next idea is to use Base64 encoding which Crystal doesn't support. I am not familiar with the scripting capabilities in Crystal to determine if one could be written. Is the scripting in Crystal Reports VBScript based? Where can I find documentation online for the scripting engine?

My next thought was to do a simple XOR encryption of the sensitive data but that will still, most likely, yield characters that cannot be passed in a querystring so I would still need to create a Base64 encoder/decoder.

And, of course, if the user really wants to secure it well and wants to pay the price for the development time, given more documentation on the scripting capabilities, I could consider porting one of the many publicly available implementations of the AES or other encryption schemes.

Thanks for any guidance and suggestions.

Dale