2

Good day ,

So i have a link in the form of this /insert_video.php?video_tut_id=15

The 15 is a dynamic number generated from a mysql query

Is there a way to hide this number with php in the url bar, meaning instead of the above something in the form of /insert_video.php?video_tut_id=adjkh13123 but that the process is reversible , so not like a md5 which is only one way

Gunnit
  • 1,064
  • 5
  • 22
  • 45

5 Answers5

4

There are a number of ways to approach this. Some sites use the idea of a "slug", which usually involves making the title of the video valid for a URL. Instead of a url like this:

insert_video.php?video_tut_id=15

... you end up with a url like this:

insert_video.php?video_tut=how-to-make-cookies

Something like this:

function slug($str) {
    $str = strtolower(trim($str));
    $str = preg_replace('/[^a-z0-9-]/', '-', $str);
    $str = preg_replace('/-+/', "-", $str);
    return $str;
}

Another method is to give each video a non-numeric "alias". This is pretty similar to the slug method, but instead of using the title, you can use a keyword or random letters and numbers.

The approach that you mention, which is making some reversible hash out of the id, is easily accomplished in a variety of ways, depending on how hard you want it to be to decrypt. If you need high security, there are options like using the mCrypt library (docs). If security isn't a high concern, you can use any obscure method - a user might figure it out if they tried, but if they aren't going to get anything out of the work more exciting than the id you used in your database table, it isn't likely many who are capable would bother.

Simple methods like the latter could be as easy as converting the numbers to letters with chr (docs). You could use a "Caesar cipher" and shift all the numbers and pass the key right in the url (again, this is a low-security approach). Google around and choose one of the numerous home-baked encryption methods - all of these are non-secure but good enough for some simple obfuscation.

With all that said, and not knowing your use case, it is often not very important to go though such pains to hide the id from your user. You'll want your various scripts to implement security whether you hide these id numbers from your users or not - getting the id number should not give a would-be attacker anything important. If it is dangerous for users to get these ids, I suggest that you reconsider your security model and identify why having an id number gives someone the "keys to the kingdom" - it shouldn't, not at all, *especially if the ID numbers comprise a portion of the URLs you will be exposing to the public. If the id field is important enough to go through such pains to hide, you'd be better served by never exposing it, encrypted or not.

Chris Baker
  • 49,926
  • 12
  • 96
  • 115
2

If you want to obsfusicate your ids, which is what I guess you want to achieve, you got two ways:

Either use some algorithm which is reversable or generate random id and use this. For the first idea you can use base64 or some other reversable built_in algorithm or build your own by replacing stuff, calculating with the id (like multiply with 15, minus 2) and other fun. Problem: If someone knows what you're doing (base64 e.g. is recognized easily and decoded in seconds), he can reverse engineer every id.

The second idea is to generate another unique id beside your auto_increment id and use this one in urls. You could for example hash the id + timestamp, store it in the database, add it to the url and then query for it. As your string is really random, nobody can guess it. He can just try every string (which will take some time) or hack your database.

Depending on what security you need, choose the first one for easy implementation and speed and the second one for security.

Sgoettschkes
  • 13,141
  • 5
  • 60
  • 78
1

Actually, why don't you store the video key in the database? It can be a hash of the name or anything else. You could then look up for the content using the key, just like YouTube does, for example.

But answering your question, have a look at that answer here: https://stackoverflow.com/a/1289114/759049 to get some encrypt\decrypt functions for PHP.

Community
  • 1
  • 1
Pateman
  • 2,727
  • 3
  • 28
  • 43
1

It also depends what your reasoning is for not wanting to disclose the video id. The most common reason is that you don't want people to be able to enumerate your server and guess at vid's to discover new content.

In this case you can create a new field in your database that represents a unique id for each video that isn't incremental such as php's uniqid();

Now instead of /insert_video.php?video_tut_id=3 you can do something like /insert_video.php?vuid=4b340550242239. And in your query to the database you reference this field instead of your primary key (video_tut_id).

dchrastil
  • 582
  • 3
  • 5
0

Even though you've accepted an answer already, I'm going to share my code that's in production use for something similar. I use this to create a url that's encoded with all the parameters from the original $_GET array.

save to a test script and load it in a browser. then try putting misc variables onto the url.

<?

header( 'content-type: text/plain' );
$h = '';
if ( array_key_exists( 'h', $_GET ) && ! empty( $_GET['h'] ) )
{
    $test = unserialize( gzuncompress( base64_decode( urldecode( urldecode( $_GET['h'] ) ) ) ) );
    if ( is_array( $test ) )
    {
        $h = $_GET['h'];
        $_GET = $test;
    }
}
elseif( count( $_GET) )
{
    $h = urlencode( urlencode( base64_encode( gzcompress( serialize( $_GET ), 9 ) ) ) );
}

list( $url ) = explode( '?', $_SERVER['REQUEST_URI'] );

if ( ! empty( $h ) )
{
    $url .= '?h=' . $h;
}

echo $url . "\n\n";

var_dump( $_GET );
Tim G
  • 1,812
  • 12
  • 25