469,587 Members | 2,153 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,587 developers. It's quick & easy.

Accesing a record in MySQL and PHP

Hi!!!

I am accesing a record in a MySQL DB with the a sentence embeded in a
php code. The result access a page like:

http://www.mysite.com/page.php?id=16

where the id=16 indicates the id of the result. This work perfect, but
I donŽt want the user to know that the number 16 correspond to a
specified record. IŽd like to change the 16 for an algoritm. The
algoritm result will be 16, but this will be only know by the database.

As example, IŽd like that

http://www.mysite.com/page.php?id=ewrefj34239dsa

equals

http://www.mysite.com/page.php?id=16

Sorry if this is not a PHP specific question, but I appreciate any
answer.

Best regards!

Zek

Dec 13 '05 #1
3 1528
On 12 Dec 2005 16:02:23 -0800, "zek2005" <es*******@gmail.com> wrote:
As example, IŽd like that
http://www.mysite.com/page.php?id=ewrefj34239dsa

equals
http://www.mysite.com/page.php?id=16


Other than an MD5 hash, a simple solution - obfuscation really - would
be to:

Put the ID characters within a string made up of random characters:
get the length of the ID string and for each character, prepend it
with X random characters, then append the string with X random
characters, e.g where X=4.

16 becomes: ghty1juh56i1k4
161 becomes: agdh1ag5h6ah4d1ah4f

To decode it, strip off the last X characters, divide the remaining
length by (X+1) to figure out how many characters are in the original
ID, then get each X+1th character to reconstruct the original ID.

It's not real security, but whether it's appropriate depends on why
you want to hide the ID and the value of the ID to someone who has
enough examples to decode it (or look for MD5 hash matches).

--
------------------------------------------------------------------
- Stuart Millington ALL HTML e-mail rejected -
- mailto:ph***@dsv1.co.uk http://w3.z-add.co.uk/ -
Dec 13 '05 #2
Following on from zek2005's message. . .
Hi!!!

I am accesing a record in a MySQL DB with the a sentence embeded in a
php code. The result access a page like:

http://www.mysite.com/page.php?id=16

where the id=16 indicates the id of the result. This work perfect, but
I donŽt want the user to know that the number 16 correspond to a
specified record. IŽd like to change the 16 for an algoritm. The
algoritm result will be 16, but this will be only know by the database.


(1) A simple way is to obfuscate. This has the advantage that the page
is fully bookmarkable. So you can embed a URL into a 'hello' email to
say "To look at your order go to ....User=1234567

(2) You will find however that it is handy to obfuscate the same every
time sometimes and vary the algorithm with additional randomising at
others.

(3) If obfuscating then your decoder also needs to check that the input
was valid. To take a too-simple example if your routine multiplied by
12345 to obfuscate then anything not divisible by 12345 is a hack

(4) Obfuscation has the convenience of being reversible, hashing has the
advantage of not being reversible. This means hashing should be secure
(while obfuscation is of course hackable) but you need to have some way
to store the real value on the server eg in session or database.

(5) When hashing you can invalidate the stored hash if used as a key to
lookup a response. So for example you might offer the user three
/exclusive/ options in an email and delete all three hashes when one is
chosen. Or you can say "reply in the next 7 days ...".

(6) IMHO a good strategy is *not* to use auto incrementing user IDs
(etc) but to provide a large random number for the primary key. Then
you don't have to worry too much about user 16 trying out user 17,18 and
19 and you don't need to obfuscate/hash either.
--
PETER FOX Not the same since the pancake business flopped
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Dec 13 '05 #3
you can also use base64 encoding for this
--
Geeks Home
www.fahimzahid.com


"zek2005" <es*******@gmail.com> wrote in message
news:11**********************@g49g2000cwa.googlegr oups.com...
Hi!!!

I am accesing a record in a MySQL DB with the a sentence embeded in a
php code. The result access a page like:

http://www.mysite.com/page.php?id=16

where the id=16 indicates the id of the result. This work perfect, but
I donŽt want the user to know that the number 16 correspond to a
specified record. IŽd like to change the 16 for an algoritm. The
algoritm result will be 16, but this will be only know by the database.

As example, IŽd like that

http://www.mysite.com/page.php?id=ewrefj34239dsa

equals

http://www.mysite.com/page.php?id=16

Sorry if this is not a PHP specific question, but I appreciate any
answer.

Best regards!

Zek
Dec 14 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

6 posts views Thread by sa_wahab | last post: by
reply views Thread by IsraelP | last post: by
reply views Thread by suresh191 | last post: by
4 posts views Thread by guiromero | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.