How can I hide user id in the url

Question

How can I hide the user id in the url using php?

I have a button with the user id:

<a href="edit.php?id<?php echo $row['user_id']; ?><button>Edit</button></a>

How can I hide or better encrypt it?

Any reason why you want to do this? Security through obscurity is not a great idea — DarkBee, Nov 05 '21 at 06:36
send the user ID by sending a post request to the endpoint if you want not to show the URL. — OMi Shah, Nov 05 '21 at 06:38
though it makes zero sense, to me, for hiding the user ID and making simpler stuffs complicated for yourself. — OMi Shah, Nov 05 '21 at 06:39
@OMiShah That would make it impossible to have a `GET` request to the page, which is how the web works. — Dai, Nov 05 '21 at 06:41
Your PHP code is vulnerable to XSS scripting. If someone does `edit.php?user_id=` then they can steal cookies and more. — Dai, Nov 05 '21 at 06:42
Did you try searching? I searched for your exact title, and found many, many answers here on SO, describing different approaches, and discussing the various pros/cons of each. If your goal is to prevent someone from enumerating IDs just to find users, you could try using hashes - here are a few examples: https://stackoverflow.com/q/39297754/6089612, https://stackoverflow.com/q/11788313/6089612, https://stackoverflow.com/q/19914249/6089612, https://stackoverflow.com/q/43746040/6089612. — Don't Panic, Nov 05 '21 at 07:00
If your goal is to remove any kind of ID from the URL completely, you can't do that with a normal `` link and `$_GET`, you'll need to instead POST, or use the session. Here are some examples: https://stackoverflow.com/q/25723183/6089612, https://stackoverflow.com/q/16476531/6089612, https://stackoverflow.com/q/63976555/6089612. — Don't Panic, Nov 05 '21 at 07:00
Also worth reading: https://stackoverflow.com/questions/396164/exposing-database-ids-security-risk — Don't Panic, Nov 05 '21 at 07:03
@Dai, that's why I asked the OP to send a post request to the endpoint with user ID and get user ID in the edit.php file. :) — OMi Shah, Nov 05 '21 at 07:04
I want to hide it because what if the user got curious change the id. — Edo Tensei, Nov 05 '21 at 07:09
That's not a good reason, you should add code to prevent people from accessing URL's they don't have access to anyway — DarkBee, Nov 05 '21 at 07:11
"*I want to hide it because what if the user got curious change the id*" - in that case any of the hash-related answers I posted should help. Here's a more comprehensive example: https://stackoverflow.com/questions/32795998/hiding-true-database-object-id-in-urls — Don't Panic, Nov 05 '21 at 07:20
Does this answer your question? [Hiding true database object ID in url's](https://stackoverflow.com/questions/32795998/hiding-true-database-object-id-in-urls) — Don't Panic, Nov 05 '21 at 07:20
If the user changes the ID then your code should prevent them from viewing the data for that ID, if they don't have permission to it. Instead of trying to hide things, implement proper security. — ADyson, Nov 05 '21 at 08:50

score -3 · Answer 1 · answered Nov 05 '21 at 06:41

-3

use flash session instead of $_GET parameters flash session is once set and when reading session destroy ownself

for example in laravel

return  redirect()->route('ffaa')->with('id',12);

here with method sends data to another page using flash session

answered Nov 05 '21 at 06:41

dılo sürücü

3,821
1
26
28

What is "flash session", exactly? – Dai Nov 05 '21 at 06:42
Flashmessages are a system of setting a (session) variable on page X and instantly removing it on a new a request – DarkBee Nov 05 '21 at 06:43
1

This solution won't suffice for OP, as the shown url is `edit.php` I'd imagine there are more than just one user record – DarkBee Nov 05 '21 at 06:45
You set flash session, you read it once and they disappear, that's it, next time you want to access it, it is no longer there, so sending data between pages is just like sending data with inter-activity intent on android. You can get information about flash session with a little google search. – dılo sürücü Nov 05 '21 at 06:45
The answer is related to laravel Framework. But the user has asked the question using core php – ManojKiran A Nov 05 '21 at 06:51
i just gave an example from laravel, i know you are not using laravel – dılo sürücü Nov 05 '21 at 06:53
Please add some explanation to your answer such that others can learn from it. If there were multiple links with different IDs, how should your approach work? Which kind of link would you put in the markup? – Nico Haase Nov 05 '21 at 07:59

score -3 · Answer 2 · answered Nov 05 '21 at 07:54

-3

You can encrypt User ID in href

<?php $user_id = md5($row['user_id']); ?>
<a href="edit.php?id=<?php echo $user_id; ?>"><button>Edit</button></a>

and on edit.php page you can validate it using same encryption method, like:

<?php 
   $user_id = $_GET['id'];
   if($user_id === md5($row['user_id'])){
       // Code user id matches.
   }
?>

answered Nov 05 '21 at 07:54

Sourav Dutt

70
1
8

1

md5 is not an encryption algorithm. Also, as this is not reversible, you would need to fetch **all** rows from the database to find the proper one – Nico Haase Nov 05 '21 at 07:59
@NicoHaase you're right, I was just giving him a hint. He can use anything else, like **openssl_encrypt()** to encrypt it in **href** and on edit.php he can decrypt it using **openssl_decrypt()** – Sourav Dutt Nov 05 '21 at 08:16
Then why not mention such an approach in your answer? – Nico Haase Nov 05 '21 at 08:18

How can I hide user id in the url

2 Answers2