coupe-r Posted January 27, 2011 Share Posted January 27, 2011 Hi All, Currently, in my application, my links use index.php?id=14 (or whatever ID it is). Should I somehow encrypt those so the exact ID is not known or is this OK? Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/ Share on other sites More sharing options...
Maq Posted January 27, 2011 Share Posted January 27, 2011 Depends what you're using it for. Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1166121 Share on other sites More sharing options...
coupe-r Posted January 27, 2011 Author Share Posted January 27, 2011 Well, through out the site, it is used to query the users record. edit.php?id=14 <--- This would grab from the users table WHERE user_id = $_GET['id']. I have it so if a user enters an erroneous number that isn't tied to their client_id, it drops them back a page. other.php?id=14&cid=34 <--- This would grab the users complaint record That is what I use it for, mainly. Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1166125 Share on other sites More sharing options...
Maq Posted January 27, 2011 Share Posted January 27, 2011 I have it so if a user enters an erroneous number that isn't tied to their client_id, it drops them back a page. If you're checking to ensure the id is tied with the current user's account then it should be fine. You may want to sanitize your variable with mysql_real_escape_string or use prepared statements to prevent SQL injections. That goes for any value that is used in a query that the user can manipulate. Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1166127 Share on other sites More sharing options...
coupe-r Posted January 27, 2011 Author Share Posted January 27, 2011 Which would be better to use? If I sanitize, just do: $urlVal = mysqli_real_escape_string($_GET['id']); Then query on $urlVal? Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1166128 Share on other sites More sharing options...
BlueSkyIS Posted January 27, 2011 Share Posted January 27, 2011 if magic quotes is on, you'll get double-slashes without removing them. if magic quotes is on, i stripslashes() first. $urlVal = (isset($_GET['id']))?trim($_GET['id']):''; if (get_magic_quotes_gpc()) { $urlVal = stripslashes($urlVal); } $urlVal = mysql_real_escape_string($urlVal); Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1166170 Share on other sites More sharing options...
cyberRobot Posted January 27, 2011 Share Posted January 27, 2011 If the ID should always be a number, you could check to make sure it's a number before querying the database. ... if(preg_match("/^\d+$/", $_GET['id'])) { ... This will stop queries for things like: index.php?id=a Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1166236 Share on other sites More sharing options...
coupe-r Posted February 2, 2011 Author Share Posted February 2, 2011 Last question. If I wanted the best way to "hide" the ID in the URL, would I encrypt it and then decrypt it on the new page or is there a better way? Basically, I want to have ID=Dj43k;asd890faaklsdf01934jfa in the URL, not ID=12. Suggestions? Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1168721 Share on other sites More sharing options...
ttocskcaj Posted February 2, 2011 Share Posted February 2, 2011 You could do encryption with mcrypt. Here's a tutorial http://www.phpro.org/classes/Two-Way-Encryption-With-PHP-Mcrypt.html And the php manual http://php.net/manual/en/book.mcrypt.php If you don't want to go that far, you could perhaps add a random lot of numbers to the end so it's like id=4842049262658265620528 That way it looks encrypted. But secretly you just use the 1st 2 numbers Link to comment https://forums.phpfreaks.com/topic/225877-urls-and-_get/#findComment-1168753 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.