URL masking by encrypting query string

For many of my project I have written code which simply a link having some parameters as query string in url to pass information from one page to another by using GET request. However there are situations when I want to hide the query string to avoid tempering by users. Many people suggest using POST instead of GET, but remembering I am not submitting a form. Another possible solution is to use session variable and pass data from one page to another, this is fine if we have limited number of link having query string.
The best suggested way to hide the query string from a site user is to use rewrite rule in your htaccess file.
But I decided to encrypt the query string and then decrypt it back on landing page. I does some googling and integrate the suggestion from there with some of the built in php function to get a working code.
Here is the code


	//function to encrypt the query string

function encryptLink($val1, $val2){

	$keySalt = "aghtUJ6y";  // change it

	$qryStr = "name1=".$val1."&name2=".$val2;  //making query string

	$query = base64_encode(urlencode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($keySalt), $qryStr, MCRYPT_MODE_CBC, md5(md5($keySalt)))));    //this line of code encrypt the query string

	$link = "landing_page.php?".$query;

	return $link;


$v1 = "foo";  // you can generate this value dynamically 

$v2 = "bar";

$pagelink = encryptLink($v1, $v2);


<a href="<?php echo $pagelink ?>">link</a>

The function encryptLink take parameters which are the values to be passed on landing_page.php (in this example). Off course you can pass the parameters in different style and manipulate according to your need. The mcrypt_encrypt() function take different parameters details of which you can find on its documentation on php.net.

Now on landing_page.php you must have decrypt script to get the query string back in original from so that you can process any further logic
It’s very simple


$keySalt = "aghtUJ6y";     // same as used in encryptLink function

$queryString = rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($keySalt), urldecode(base64_decode($_SERVER['QUERY_STRING'])), MCRYPT_MODE_CBC, md5(md5($keySalt))), "\0");   //this line of code decrypt the query string

parse_str($queryString);   //parse query string

if(!empty($name1) && !empty($name2)){

       echo $name1;  //  will print "foo"

      echo $name2;  // will print "bar"


	exit("Invalid parameters passed");



That’s all you need to mask you link so the user cannot temper with your url query string. Hope this small tutorial helps you. Feel free to comment or leave a suggestion.


  1. Hi there Sanjay,
    Many thanks for your posting. I am an amateur. I added your code to my php pages but I have a problem with a “repeat region”. The code appears to work fine however all the “repeated” links show the same result.
    Any suggestions? Any help would be appreciated.

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.