2

I'm trying to come up with a good way to avoid directly using ID's in URL's to look up table entries. The main reason is that for privacy reasons, I don't want my users to be able to simply change, say, /?unique_id=10 to /?unique_id=11 and see someone else's information.

I've noticed many sites use randomly generated strings, but what's the best structural implementation of something like this?

Thanks!

Oh, and I doubt it matters, but I'm using PHP.

EDIT: The information contained on the pages is public information. That is, anyone with the link should be able to access the page without trouble. What I want to prevent is people simply iterating through IDs and seeing everything in the database. I prefer that only people that have been given a link access the page. That said, it's not a huge problem if a random person stumbles across it.

Also, I don't want people looking at the ID to figure out how many total entries there are.

Stephen Corwin
  • 968
  • 1
  • 8
  • 21
  • 2
    How sensitive is the information you're displaying? – Pekka Feb 22 '12 at 22:30
  • Any `guid` / `uuid` method would work, but you shouldn't rely on obscurity of ID for security... – Wrikken Feb 22 '12 at 22:33
  • Are you trying to limit access to a user's own information? If so, might I suggest you use session variables based on the user's login info? – SenorAmor Feb 22 '12 at 22:33
  • I should have been more clear: The information contained on the pages is public information. That is, anyone with the link should be able to access the page without trouble. What I want to prevent is people simply iterating through IDs and seeing everything in the database. I prefer that only people that have been given a link access the page. That said, it's not a huge problem if a random person stumbles across it. – Stephen Corwin Feb 23 '12 at 04:42
  • Oh, and another thing I don't want is for people to know how many entries are in the database. Using IDs, all they have to do is find the point at which the ID leads to a "Not valid" page, and they know exactly how many entries there are. – Stephen Corwin Feb 23 '12 at 04:46

5 Answers5

3

You probably need some kind of user check to make sure people arent seeing other peoples records anyway, but using a GUID for this is a good start.

You could use a hash of something like record1, record2 etc, but a determinted hacker could easily do this.

Another option is to use record aliases so each record has a string that represents it which you then use as the key. You often see this in wordpress or other CMS systems.

So if your id refers to a post maybe take the title and replace spaces with -

eg. www.example.com/article.php?id=Summer-is-the-best-time-of-year

Toby Allen
  • 10,997
  • 11
  • 73
  • 124
  • I think the string solution is the best. Say I just wanted to use a random string of characters though, instead of an actual title. What's the best way to make that string unique in order to avoid collisions? – Stephen Corwin Feb 23 '12 at 04:51
  • a GUID! otherwise you need to use a autoincrement field combined with somthing else and turned into letters like say 123-GHF the person can guess the 123 bit but not the letters. – Toby Allen Feb 23 '12 at 10:27
2

You shouldn't had to deal with that at url level. You just take care of that at the session so if user 123 tries to access yoursite.com/unique_id=456 the session checking will prevent him from doing it. I mean you're talking about private pages isn't it ?

Even if you encode it (the user id) it will be accessible as a hash or something which would be nothing more than obfuscation which is not as good as preventing access on your own (with a session)

Julian
  • 253
  • 3
  • 14
1

I have used MySQL's UUID() function for this, but you should definitely use permission checking to ensure that users aren't able to view data for other users.

This answer shows simply how to create a unique identifer.

Community
  • 1
  • 1
Kalessin
  • 2,282
  • 2
  • 22
  • 24
0

you can encrypt them use md5(id) and search for the record the has the same md5(id) ie 

select * from table where md5(id) = '$encrypted'
abugnais
  • 188
  • 1
  • 8
  • 1
    That has to do a full table scan and calculate and md5 for every row in your table. If you have more than a few rows, performance will compare pretty poorly. – recursive Feb 22 '12 at 22:46
0

Why not use AJAX calls for any queries to the DB rather than including them in the URL $_GET.

xXPhenom22Xx
  • 1,265
  • 5
  • 29
  • 63
  • How would this improve security? The ID is still visible to the client, no matter whether Ajax is used for the request or not. – Pekka Feb 22 '12 at 23:12
  • AJAX requests are not visible to the client and are not encoded in the URL like variables being passed via $_GET – xXPhenom22Xx Feb 23 '12 at 19:11