0

Currently I have a mysql table that displays information about job opportunities. I have an auto incrementing primary key and I want to encode so it isn't easily recognizable.

So the key "1" would be converted into something short like "AE93DZ". So for URL purposes it isn't something like somesite.com/view/1

Primary Key Unique Id   |   Job Name
1                       | Gardening at X
2                       | Dishwasher at Y
3                       | Etc
4                       | Etc

The primary key needs to be able to be decoded back into it's original key so I can search the database, eg if the user were to click the post then it needs to pull up that job post.

I have tried using Base64 encoding the key.

public static function encode( $input )
{
    $salt= "example_salt";
    $encrypted_id = base64_encode($input . $salt);;
    return $encrypted_id;
}

public static function decode( $raw )
{
    $salt = "example_salt";
    $decrypted_id_raw = base64_decode($raw);
    $decrypted_id = preg_replace(sprintf('/%s/', $salt), '', $decrypted_id_raw);
    return $decrypted_id;
}

The encryption returns something like

OE1ZX1SKJS3KSJNMg==

which is too long and contains "=" signs.

user2515606
  • 182
  • 4
  • 13

2 Answers2

4

I though that changing the base of the ID and add a offset could give you a nice short way to obfuscate the id. Something like this:

function obfuscate($number)
{
    $offset = 12345678;
    return strtoupper(base_convert($number + $offset, 10, 36));
}

function deobfuscate($code)
{
    $offset = 12345678;
    return base_convert($code, 36, 10) - $offset;
}

Here 1 would become 7CLZJ and 9999 would become 7CTP9. The codes are guaranteed to be unique. By converting to base 36 the code would only contain the number 0...9 and the letters A....Z.

Simple but effective. Please make the $offset a field in your class.

This only moves you away from the simple numbers of the id, it does in no way help to secure the id.

If you think that the sequential numbers in base 36 are a problem you can add a factor. For instance the prime number 5197. Like this:

function obfuscate($number)
{
    $offset = 73074643;
    $factor = 5197;
    return strtoupper(base_convert($factor * $number + $offset, 10, 36));
}

function deobfuscate($code)
{
    $offset = 73074643;
    $factor = 5197;
    return intdiv(base_convert($code, 36, 10) - $offset, $factor);
}

Which will make it a lot harder to see any logic in the numbering:

1 = 17ICRK 
2 = 17IGRX 
3 = 17IKSA 
4 = 17IOSN 
5 = 17IST0
KIKO Software
  • 15,283
  • 3
  • 18
  • 33
1

Base64 encoded values are still easily recongnizable.
You could create a hash of the ID e.g. $hash = hash('crc32', $input);, but a better idea would be to generate UUIDs e.g. $uuid = uniqid(); and use that instead of ID

Dharman
  • 30,962
  • 25
  • 85
  • 135
  • crc32 duplicates very easy it is indeed better to generate UUID.. But in general you should not be using UUID as primary keys it's statters btree performance effectively as UUID are more random.. – Raymond Nijland Aug 16 '19 at 18:14
  • 1
    A good read about URL shortening by [Jeff Atwood](https://blog.codinghorror.com/url-shortening-hashes-in-practice/) – Dharman Aug 16 '19 at 18:37