Encode part of a URL. Is there a better way than this? 
Author Message
 Encode part of a URL. Is there a better way than this?

This is a common thing. I put a customer ID  in link. But I want to encrypt
it:

Below whatever I get from the database goes in
echo  '<a href="cust1.php?xid=' . $result->fields['CustNum'] .'">Edit </a>';
will become '....../cust1.php?xid=72 (or whatever)

I want to hide the number. This will work
echo  '<a href="cust1.php?xid=' . base64_encode($result->fields['CustNum'])
.'">Edit </a>';

and gives something like .../cust1.php/?xid=MWYca

Short of writing my own routine, is there a better way of doing this
encryption. (Obviously I have to do decryption when it is read in, but that
is not a problem.

Thanks,
Al



Sun, 31 Jul 2005 12:28:22 GMT  
 Encode part of a URL. Is there a better way than this?


Quote:
> and gives something like .../cust1.php/?xid=MWYca

> Short of writing my own routine, is there a better way of doing this
> encryption. (Obviously I have to do decryption when it is read in, but that
> is not a problem.

Your subject says encode but your message says encrypt, it really
depends on which you need.

If all you need is to obscure the ID enough that it's not the original
number, I would suggest using base64_encode() and base64_decode. Note
that this is not encryption at all, and is obviously trivial to decode,
but if all you're trying to do is prevent the raw user ID from appearing
in the URL, this will work.
--

--------------------------|--------------------------------------------------
<http://www.phplabs.com/> | PHP scripts and thousands of webmaster resources!



Sun, 31 Jul 2005 14:50:11 GMT  
 Encode part of a URL. Is there a better way than this?

Quote:

> will become '....../cust1.php?xid=72 (or whatever)

> I want to hide the number.
..
> something like .../cust1.php/?xid=MWYca

Do you realize that this would always yield the same encoded number? So a
visitor would still know that the id is the same as yesterday's id, if both
link to the very same customer. Obviously, your encoded ID will be harder
to adjust to get a different number (when seeing 72 one might change it to
73), I know. Just to make sure you understand that this way of encoding
always gives you the same output for the same input.

When it is really important to really hide such things, you could also think
about not putting them in the HTML at all, but keep the IDs at the server
side using PHP's sessions. Session support in PHP works fine, although it
might be overdone for your situation.

Palahala



Sun, 31 Jul 2005 17:42:08 GMT  
 Encode part of a URL. Is there a better way than this?


Quote:
> This is a common thing. I put a customer ID  in link. But I want to
encrypt
> it:

there are mcrypt functions wich implement various standard algorithms, but I
am not sure if they are in inlcuded in standard distribution by default.

Aside from that, it is quite common to just assign non continous Id's to
important entities, which are hard to guess (they appear random). For
instance:


Unless you allready have existing id's in the database, method above is
often easier, with usually equivalent level of (un)security.

rush
--
http://www.templatetamer.com/



Sun, 31 Jul 2005 21:12:44 GMT  
 Encode part of a URL. Is there a better way than this?

Quote:


>> will become '....../cust1.php?xid=72 (or whatever)

>> I want to hide the number.
> ..
>> something like .../cust1.php/?xid=MWYca

> Do you realize that this would always yield the same encoded number? So a
> visitor would still know that the id is the same as yesterday's id, if both
> link to the very same customer. Obviously, your encoded ID will be harder
> to adjust to get a different number (when seeing 72 one might change it to
> 73), I know. Just to make sure you understand that this way of encoding
> always gives you the same output for the same input.

> When it is really important to really hide such things, you could also think
> about not putting them in the HTML at all, but keep the IDs at the server
> side using PHP's sessions. Session support in PHP works fine, although it
> might be overdone for your situation.

> Palahala

Your point is well taken and I've decided not to use base65. Instead, I found
a simple encryption class called  AzDGCrypt (from phpclasses.org) and I use
this. I create random keys (seeds) and keep those as session vars (so I can
decrypt!)

Thus, in one instance xid=72 would look like

/cust1.php/?xid=sljs07s;ls070s7s

and on another

/cust1.php/?xid=mvjsw8762  

etc.

What I'd REALLY like to do is find a way to CHANGE the URL (see other
posting.)

Al



Mon, 01 Aug 2005 01:32:25 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. url encoding in va 5.2.2

2. decoding UTF8/URL encoded strings

3. demangling url encoding

4. URL encode and decode

5. URL-encode/decode

6. URL gets encoded

7. URL encoding / decoding

8. URL encoding?

9. URL Encoding in Tcl

10. URL encoding in TCL

11. Best Place to trap all ways out of a window

12. Which ways better??

 

 
Powered by phpBB® Forum Software