2

i want to encrypt the url parameters value like

http://www.sitename.com/index.php?userid=12546

into

http://www.sitename.com/index.php?userid=SADFFHGFE

to prevent the robots to hack the userids which is auto incrementing into database and i am not sure about the security of base64_encode and base64_decode. Is there any way to do this??

jogesh_pi
  • 9,762
  • 4
  • 37
  • 65
  • Maybe this will help you: http://stackoverflow.com/questions/4940348/encrypt-encoding-an-id-in-url-string – Guganeshan.T Oct 13 '11 at 08:09
  • 1
    Sure you don't use the obfuscating of the userid as security right? – PeeHaa Oct 13 '11 at 08:09
  • 1
    Is there a reason that you want to pass `userid` in the url? What are you trying to accomplish? – Tom Oct 13 '11 at 08:10
  • Take a look at this: http://stackoverflow.com/questions/959957/php-short-hash – Niko Oct 13 '11 at 08:11
  • There are different ways outlined online: [Create short IDs with PHP - Like Youtube or TinyURL](http://kevin.vanzonneveld.net/techblog/article/create_short_ids_with_php_like_youtube_or_tinyurl/) and [PHP Unique Hash](http://blog.kevburnsjr.com/php-unique-hash) - maybe that's helpful. – hakre Oct 13 '11 at 08:14

3 Answers3

6

Is there any way to do this??

Hashing user IDs is useless as it's easily reverted. Encrypting them is neither practical nor necessary - just assign a random user ID when you create a record, and never expose the auto increment ID.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • This question is a duplicate of http://stackoverflow.com/questions/4940348/encrypt-encoding-an-id-in-url-string, but I believe this is a better answer than those at the alternative. Ah, to flag or not to flag... that is the question. :) – Herbert Oct 13 '11 at 08:19
  • @Herbert Flag, I'd say, but not as a duplicate but as a pointless question. – Your Common Sense Oct 13 '11 at 08:43
-1

You could store a randomly generated string, and store this in the same row as the user record, I use this to generate a random ID for quizzes on my site:

It generates a string using the character list, so they must be stored as case_sensitive.

$p_length is the number of characters to output, I use '6'

function generate_id($p_length)
{
    $char_list = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $char_list .= "abcdefghijklmnopqrstuvwxyz";
    $char_list .= "1234567890";
    $char_list_len = strlen($char_list);
    $random = "";

    for($i = 0; $i < $p_length; $i++)
    {
        $char = rand() % $char_list_len;
        $random .= $char_list[$char];
    }
    return $random;
}

$random_id = generate_id(6);
hakre
  • 193,403
  • 52
  • 435
  • 836
Luke
  • 22,826
  • 31
  • 110
  • 193
  • *Note:* As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically. – hakre Oct 13 '11 at 08:26
  • 1
    How do you prevent to add the same generated id for multiple records? – hakre Oct 13 '11 at 08:28
  • @hakre That's a very good point, I have the field set in the database to UNIQUE and I loop through, checking that the generated ID is not already stored. – Luke Oct 13 '11 at 08:50
-1

You can create a hash of the id so you get something like:

http://www.sitename.com/index.php?userid=81dc9bdb52d04dc20036dbd8313ed055

In you db query you can do a select on the users table including a WHERE statement that also hashes the id column like:

WHERE MD5(id) = youridfromqueryparameters

A side note to this is that MD5 hashes do not necessarily have to be unique. So you cannot be sure that this select statement is always returning the row you wanted.

But of course it does not differ that much from just using the id. A better solution might be to generate a unique (not auto incremented) id for each user and use that in the url (encrypted or not).

Bas Slagter
  • 9,831
  • 7
  • 47
  • 78