How to encrypt id in url php
I've been looking at articles online about solutions to encrypting id's in a url. I've tried the basic encode decode but the problem i'm having when decoding it on the next page where I do a select where id = decoded id. It won't grab the proper user still from the table. Show My link:
sendContract.inc.php page:
UPDATE: Now that I understand to that urlencode needed to be used, it works in the URL properly. The page is displaying a customers contract. And it's only unique to them. The contract link gets sent by email which is just a link with their customer_id (which is now encoded, decoded). I'm wondering what else can I do to secure their link and info? The contract is displayed as a PDF in the link (using tcpdf).
halfer 19.6k17 gold badges92 silver badges175 bronze badges asked Sep 2, 2016 at 17:20
7 I like to use Hashids for this:
Hashids has been ported to many languages, including PHP. Here is an example from their website:
answered Sep 2, 2016 at 17:27
ChrisChris 117k88 gold badges259 silver badges239 bronze badges 3 It appears that you're not encrypting the ID, you're only encoding it in base64 which means that anyone can decode it. Here's an example showing a simple encoded string.
This will output
will output
BUT REMEMBER, this implementation DOES NOT encrypt the ID, it is only encoded which means ANYONE can decode it. answered Sep 2, 2016 at 17:37
AnthonyAnthony 2212 silver badges10 bronze badges 4 I would create a table specifically for this email operation. In said table I would have the For the hash it could be as simple as
This would work just fine and serves only to make the url "pretty". Because you are saving the hash in the table as part of the row data, it dosn't need to be related to the data in that row at all. Basically it takes all the guess work out of it. I would also look into not exposing the '.php' extension. Most MVC frameworks can do this and it just make the url a bit cleaner like this
In my opinion the only way to really secure this is to limit how often and how long the url in the email could be used. You could also force them to login at the url, then you can be sure it is the account holder. answered Sep 2, 2016 at 18:11
ArtisticPhoenixArtisticPhoenix 21k2 gold badges21 silver badges35 bronze badges 3 In order to avoid guessing Id by end user, I could suggest a way that takes use of hashed id. For example, you use MD5 as hash algorithm and database MySQL Your url would be .../path?id={hashed_id} When looking up at database your query will be
By this way, you only expose hashed value of id to customer, not the id itself. Moreover, you dont need to maintain a secret key which could be potentially leaked out. answered Sep 2, 2016 at 17:38
Chiến NghêChiến Nghê 7282 gold badges9 silver badges24 bronze badges 4 How do you secure a passing ID in a URL?On the most simple level you can perhaps base64_encode the id and then decode it with base64_decode . The examples below are just illustrative. Please clean and adjust for your needs.
How do I encrypt a URL?Traffic encryption options. Within the Website module, click Settings.. Under Website security, click Traffic encryption (HTTPS/SSL).. Choose when you want to redirect visitors to the secure URL. Always. All http page requests will be redirected to the encrypted https page. ... . Click Save.. What is URL encryption in PHP?The urlencode() function is an inbuilt function in PHP which is used to encode the url. This function returns a string which consist all non-alphanumeric characters except -_. and replace by the percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs. Syntax: string urlencode( $input )
How do I encrypt ID in blade laravel?Encryption of a value can be done by using the encrypt helper in the controllers of Laravel class. These values are encrypted using OpenSSL and AES-256 cipher. All the encrypted values are signed with Message Authentication code (MAC) to check for any modifications of the encrypted string.
|