coupe-r Posted January 27, 2011 Share Posted January 27, 2011 Hi All, Currently, in my application, my links use index.php?id=14 (or whatever ID it is). Should I somehow encrypt those so the exact ID is not known or is this OK? Quote Link to comment Share on other sites More sharing options...
Maq Posted January 27, 2011 Share Posted January 27, 2011 Depends what you're using it for. Quote Link to comment Share on other sites More sharing options...
coupe-r Posted January 27, 2011 Author Share Posted January 27, 2011 Well, through out the site, it is used to query the users record. edit.php?id=14 <--- This would grab from the users table WHERE user_id = $_GET['id']. I have it so if a user enters an erroneous number that isn't tied to their client_id, it drops them back a page. other.php?id=14&cid=34 <--- This would grab the users complaint record That is what I use it for, mainly. Quote Link to comment Share on other sites More sharing options...
Maq Posted January 27, 2011 Share Posted January 27, 2011 I have it so if a user enters an erroneous number that isn't tied to their client_id, it drops them back a page. If you're checking to ensure the id is tied with the current user's account then it should be fine. You may want to sanitize your variable with mysql_real_escape_string or use prepared statements to prevent SQL injections. That goes for any value that is used in a query that the user can manipulate. Quote Link to comment Share on other sites More sharing options...
coupe-r Posted January 27, 2011 Author Share Posted January 27, 2011 Which would be better to use? If I sanitize, just do: $urlVal = mysqli_real_escape_string($_GET['id']); Then query on $urlVal? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted January 27, 2011 Share Posted January 27, 2011 if magic quotes is on, you'll get double-slashes without removing them. if magic quotes is on, i stripslashes() first. $urlVal = (isset($_GET['id']))?trim($_GET['id']):''; if (get_magic_quotes_gpc()) { $urlVal = stripslashes($urlVal); } $urlVal = mysql_real_escape_string($urlVal); Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted January 27, 2011 Share Posted January 27, 2011 If the ID should always be a number, you could check to make sure it's a number before querying the database. ... if(preg_match("/^\d+$/", $_GET['id'])) { ... This will stop queries for things like: index.php?id=a Quote Link to comment Share on other sites More sharing options...
coupe-r Posted February 2, 2011 Author Share Posted February 2, 2011 Last question. If I wanted the best way to "hide" the ID in the URL, would I encrypt it and then decrypt it on the new page or is there a better way? Basically, I want to have ID=Dj43k;asd890faaklsdf01934jfa in the URL, not ID=12. Suggestions? Quote Link to comment Share on other sites More sharing options...
ttocskcaj Posted February 2, 2011 Share Posted February 2, 2011 You could do encryption with mcrypt. Here's a tutorial http://www.phpro.org/classes/Two-Way-Encryption-With-PHP-Mcrypt.html And the php manual http://php.net/manual/en/book.mcrypt.php If you don't want to go that far, you could perhaps add a random lot of numbers to the end so it's like id=4842049262658265620528 That way it looks encrypted. But secretly you just use the 1st 2 numbers Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.