Hash and recover a string

[yonta]

Hi

I'm building a gallery where users can send postcards.

When the postcard is saved into the database i get the last_insert_id and send a mail with a link that people should click on to see the postcard. The link is something like this: seepostcard.php?id=43 . 43 is in this example the last_insert_id.

Of course doing it this way if people wanna see postcards that weren't sent to them all they have to is change the number in the url. I wanna prevent this.

So i would like to disguise the number. I tried using md5 but then it seems i can't recover the original number in the seepostcard.php file.

I need to disguise the number in the url but still recover the original number to show the postcard.

I know this must be simple but i can't find the solution.

Can anyone point me to the right direction?


Thanks

Sofia

[kenrbnsn]

Instead of trying to encrypt the id, send some other identifier that is tied to that particular card to the recipient. They would have to enter this string to see the card. This could be a random string. Use it as a password. Store it encrypted in your DB, but you can send it plain text to the user. Just make sure you don't generate the same string more than once.

Ken

[Fyorl]

You could use my two-way encryption/decryption class but 256-bit encryption would probably be over the top for what you want. I would agree with kenrbnsn, add a column into your table say `key` (varchar 255) and then in your code, generate a random string (there's a function on this site for that). md5 hash that string and insert it into your table along with the rest of the data. Send either that string or the md5 hashed version in the email instead of the id. Then, when the user follows the link, you just use the key as your id instead.

[yonta]

Thank you both [img src=\"style_emoticons/[#EMO_DIR#]/laugh.gif\" style=\"vertical-align:middle\" emoid=\":laugh:\" border=\"0\" alt=\"laugh.gif\" /]

Best,

Sofia

[anatak]

[!--quoteo(post=381632:date=Jun 9 2006, 08:04 AM:name=Fyorl)--][div class=\'quotetop\']QUOTE(Fyorl @ Jun 9 2006, 08:04 AM) [snapback]381632[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I would agree with kenrbnsn, add a column into your table say `key` (varchar 255) and then in your code, generate a random string (there's a function on this site for that). md5 hash that string and insert it into your table along with the rest of the data.
[/quote]

I have a stupid question about this.
If you generate a random string are you always sure that it will be unique ?

can you also tell me where the function to create the random string is ?

thanks
anatak

[Fyorl]

heh, I thought someone might mention that. The answer is no, you can't always be sure it will be unique. There are ways of ensuring it will be unique however, such as getting all the current key values from the database in an array and then generating the random string. Check the string exists in the array, if it does, regenerate the string until you get a unique one.

As for the function. There are a few but [a href=\"http://www.phpfreaks.com/quickcode/Megapunk---Random-Password-Generator/71.php?higlight=random+string\" target=\"_blank\"]this[/a] one looks good

[akitchin]

well, to be technical, you'd have to hash the string BEFORE checking it against the database for uniqueness. if we stored the strings as plaintext, it somewhat defeats the purpose of hashing it in the first place.

it might also be easier on the whole system if you simply run a call counting the rows that match the hashed string, rather than loading all strings into an array (if you've got a lot of strings, seems like it'd be a waste of resources).

ie. [!--sql--][div class=\'sqltop\']SQL[/div][div class=\'sqlmain\'][!--sql1--][span style=\'color:blue;font-weight:bold\']SELECT[/span] [color=blue]COUNT[/color](some_field) [color=green]FROM[/color] [color=orange]table[/color] [color=green]WHERE[/color] key[color=orange]=[/color][color=red]'your_MD5'[/color]d_random_string' [!--sql2--][/div][!--sql3--]

[Fyorl]

[!--quoteo(post=381681:date=Jun 8 2006, 08:42 PM:name=akitchin)--][div class=\'quotetop\']QUOTE(akitchin @ Jun 8 2006, 08:42 PM) [snapback]381681[/snapback][/div][div class=\'quotemain\'][!--quotec--]
well, to be a technical butt, you'd have to hash the string BEFORE checking it against the database for uniqueness. if we stored the strings as plaintext, it somewhat defeats the purpose of hashing it in the first place.

it might also be easier on the whole system if you simply run a call counting the rows that match the hashed string, rather than loading all strings into an array (if you've got a lot of strings, seems like it'd be a waste of resources).

ie. [!--sql--][div class=\'sqltop\']SQL[/div][div class=\'sqlmain\'][!--sql1--][span style=\'color:blue;font-weight:bold\']SELECT[/span] [color=blue]COUNT[/color](some_field) [color=green]FROM[/color] [color=orange]table[/color] [color=green]WHERE[/color] key[color=orange]=[/color][color=red]'your_MD5'[/color]d_random_string' [!--sql2--][/div][!--sql3--]
[/quote]

Well I thought the hash thing went without saying. But good point with counting the values rather than actually pulling them all out. And how come it highlights SQL syntax but not PHP?

[akitchin]

well i use an actual sql /sql tag set. i don't think they were smart enough to implement PHP highlighting for some reason, which strikes me as being more prominent than SQL. IPB, that is, not eric.

[Fyorl]

That's rather silly, considering they have the PHP tag image and everything. Can't be that hard to write a PHP syntax highlighter. A few complicated regexs'd do the trick

[kenrbnsn]

There used to be PHP highlighting until an upgrade blew away the special code last year. There is talk of bringing it back. There has been some discussion about this on the [a href=\"http://www.phpfreaks.com/forums/index.php?showforum=11\" target=\"_blank\"]PHPFreaks.com Questions, Comments & Suggestions[/a] forum.

Ken

[yonta]

I was wondering which option would be more efficient:

insert the postcard record (without the hashed key), recover the last_insert_id, use a random password script (like the one posted here) on the time and last_insert_id - this should make sure the key is always unique since the id will always be so, right (if not please say so)? And last update the postcard record with the generated key.

or do a count like described before, and if that key exists generate a new one. And then insert the whole postcard row.

Both options require two connections to the database. But if the database will tend to get big over time isn't a count query more resource intensive than a regular update query?

Thanks

[Fyorl]

The best way would be to not insert the post card record at first and then generate a random string, checking whether it was unique using COUNT(*) (this is still faster than retrieving all the rows from the database). Another idea occured to me though which may be faster than count on large databases, after generating a key, run an sql query:[!--sql--][div class=\'sqltop\']SQL[/div][div class=\'sqlmain\'][!--sql1--][span style=\'color:blue;font-weight:bold\']SELECT[/span] `key`
[color=green]FROM[/color] [color=orange]`table`[/color] [color=green]WHERE[/color] `key`[color=orange]=[/color][color=red]'$key'[/color]
LIMIT 1 [!--sql2--][/div][!--sql3--] The LIMIT 1 being crucial here as the database engine will stop after it finds one match instead of searching through the whole table. Then you could get if the query returned a result and if so, regerate the key.

Then md5 hash the key and insert it with the rest of the post code. That method requires a number of queries dependant on how many retries it takes for a unique key to be found. But appending the id onto time() [i]should[/i] generate a unique key each time (I can see no reason why it wouldn't). And it only ever requires 2 queries.

Therefore, your method's better heh