-2

I have video website and I worry about if somebody write a script that fetches all my database and use it because i use the video id in address as query string for saying every page which video have to be shown.

Example:

http://example.com/video/215/videotitle

215 is my video id and videotitle is the title of my video, i want to have something like youtube:

www.youtube.com/watch?v=__zj6ibrq04

How can I do this? i should mention that I used mod_rewrite to get an address like this so I absolutely worry about somebody fetching my database because they can know the video id.

That's awful because id is an auto increment primary key in my database!!! Is there any suggestion?

Amir H
  • 1,116
  • 1
  • 11
  • 25
  • I think you can get a solution for your question from this link.................... http://stackoverflow.com/questions/7356555/better-way-to-replace-query-string-value-in-a-given-url – annam priyatam Dec 25 '14 at 07:38
  • i had a look at your link and i don't like it! i need sth really special! – Amir H Dec 25 '14 at 11:30
  • What's wrong with a unique char column that uses random letters? you'll have to figure out how to handle conflicts yourself but any string with 11+ characters will have a pretty low likelyhood of ever hitting a conflict. – Lucas Dec 25 '14 at 13:19
  • This has been asked and answered before. Also like for any common problem, solutions normally exists. For example, why isn't [hashids](http://hashids.org/php/) not working for you? If you could explain what makes your question so special, one could actually answer it. – hakre Dec 25 '14 at 16:54

1 Answers1

2

If all your pages are public, i.e. anyone can go to any site at any time, there's only one thing you can do against a bot automatically scraping your site: detect scraping behaviour and throttle it. That means you need to track every visitor by IP address and/or other characteristics and start denying them access once they start requesting too many pages within a certain time window. No, this is not trivial to get right.

In this case it doesn't really matter what your URLs look like; you may think that YouTube's URLs are "unguessable", but (most of) YouTube's videos are entirely public and can be discovered by browsing through YouTube's front page. There's no need to guess the URL, that's an irrelevant detail. And even if they were not, you could simply start trying every single URL from __aaaaaaaa trough __9999999. It'll take a while, but it's possible.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • Your are right but closing the door without a lock is better than open it for any stranger!!! – Amir H Dec 25 '14 at 11:24
  • 1
    @AmirH, both schemes are equally guessable, and trivial to scan. What are you trying to achieve here... what is the value of your "database"? – Offbeatmammal Dec 27 '14 at 04:20