0

I realize this may be a reproduce of a question from '09 OLD LINK but wanted to see if there was a better way to do now:

ultimately I have the following URL:

www.site.com?ID=12345 (my id's are much more complicated than this).

That being said, it is theoretically possible for somebody to simply change the URl and access other person's data (yes I can also run authentication of ownership on the other side as well).

Ultimately, I want to hash the initial data, put it as the ID value - then on the server processing script (page that is linked to), reverse the hash and use the UID from that member.

Community
  • 1
  • 1
JM4
  • 6,740
  • 18
  • 77
  • 125
  • What you're talking about isn't hashing - it's encrpytion/decryption. – John Parker Mar 07 '11 at 21:33
  • @middaparka - right - i just didnt want anybody to think i cared enough to go nuts here with like AES or anything. Just want something basic that can't be easily discovered. – JM4 Mar 07 '11 at 21:35

2 Answers2

1

Two choices - use PHP's encryption/decrypt facilities to hide the actual UID. Or store a hashed version of the UID in the database alongside the normal UID.

You could run a query like

SELECT blah,blah
FROM table
WHERE MD5(id) = 'the query string value'

but that wouldn't allow for indexes to be used, so it'd be better to do

...
WHERE hashed_id = 'the query string value'

instead.

Marc B
  • 356,200
  • 43
  • 426
  • 500
1

What you're attempting to do sounds like the wrong approach, unless you're just attempting to obfuscate things slightly (which seems somewhat pointless, if I'm being honest).

I'd be tempted to add an additional element to the URL - an authorisation key which would be randomly generated at the time the ID is generated and stored alongside the ID (presumably in a database), but wouldn't be generated based on the ID. (Something like md5(uniqid) would probably do the trick.)

As such, it simply wouldn't be possible for someone to guess the ID and the key.

John Parker
  • 54,048
  • 11
  • 129
  • 129
  • the primary issue is that in the data authentication (ensuring a user is able to access certain information) it would require a call into a stored procedure which uses A LOT of system resources (as it transcends hierarchial tree structures to have to ensure things are 'ok'). This call would be made 10-15 times each time a call to the page is made. – JM4 Mar 07 '11 at 21:46