generate an random string from a numeric ID

[Merdok]

Hi Guys,

 

I'm setting up a shortURL generator for my blog, at the moment it just uses the articles ID number but obviously that is not secure so before I put it out into the real world I want to convert it into a code (eg: 3sF428EDD3 or something like that), the code needs to be unique for each article and preferably needs to be something that can be converted back into the ID. Although if thats too much of a pain then I don't mind it being one way as I can always just add a 'shortcode' field to the database.

 

Any ideas?

[Mchl]

at the moment it just uses the articles ID number but obviously that is not secure

 

Why not?

[Merdok]

Just assumed showing the world the ID from the database would be a bad idea.

[PFMaBiSmAd]

I have the same question. What makes you think that is not secure?

 

Edit:

Just assumed showing the world the ID from the database would be a bad idea

 

In programming, you cannot assume anything. You must have a state-able problem before you can solve it. What about showing the world the ID do you think makes it not secure?

[Merdok]

To be honest I don't know. I learned PHP at university and my tutor always said not to show people the primary key but now I think about it, he never really told us why. I guess thats my problem solved then

[the182guy]

To be honest I don't know. I learned PHP at university and my tutor always said not to show people the primary key but now I think about it, he never really told us why. I guess thats my problem solved then

 

The reason your tutor told you that was most likely so if anybody found a vulnerability in your application, they at least may not know the PK of your articles, they may need to work a bit harder to find those out (if you used another mechanism).

 

IMO that is not a good enough reason to justify using a different mechanism for identifying records.

[Mchl]

What he probably was trying to say, is that database IDs should not be on users' interest. You shouldn't have your login form asking for 'User's ID' instead of 'Username' etc. As long as you take precautions against SQL injections, and have proper access control in place, there's no harm in showing these IDs to the world.

 

Look at the url bar on this forums. It will show you a topic id, and also possibly a message id. Click on any users nickname, to see their ID. Is there anything you can do with these numbers? I doubt it.

[Merdok]

Cheers guys, you just made my life easier