Hiding true database object ID in url’s

by

This question has been asked a lot, with different word choice (which makes it difficult to say, “Just search for it!”). This fact prompted a blog post titled, The Comprehensive Guide to URL Parameter Encryption in PHP .

What People Want To Do Here

Some encryption function is used to deterministically retrieve the ID

What People Should Do Instead

Use a separate column

Explanation

Typically, people want short random-looking URLs. This doesn’t allow you much room to encrypt then authenticate the database record ID you wish to obfuscate. Doing so would require a minimum URL length of 32 bytes (for HMAC-SHA256), which is 44 characters when encoded in base64.

A simpler strategy is to generate a random string (see random_compat for a PHP5 implementation of random_bytes() and random_int() for generating these strings) and reference that column instead.

Also, hashids are broken by simple cryptanalysis. Their conclusion states:

The attack I have described is significantly better than a brute force attack, so from a cryptographic stand point the algorithm is considered to be broken, it is quite easy to recover the salt; making it possible for an attacker to run the encoding in either direction and invalidates property 2 for an ideal hash function.

Don’t rely on it.

More Related Contents:

  1. Improve password hashing with a random salt
  2. How Secure Is This Login System? (Using Cookies In PHP)
  3. How can I prevent SQL injection in PHP?
  4. SQL injection that gets around mysql_real_escape_string()
  5. Secure hash and salt for PHP passwords
  6. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  7. Reference: What is a perfect code sample using the MySQL extension? [closed]
  8. php mysqli_connect: authentication method unknown to the client [caching_sha2_password]
  9. How to create a secure mysql prepared statement in php?
  10. How do I use password hashing with PDO to make my code more secure? [closed]
  11. Using PHP 5.5’s password_hash and password_verify function
  12. Secure random number generation in PHP
  13. What does it mean to escape a string?
  14. SQL injections in ADOdb and general website security
  15. PHP MySQLI Prevent SQL Injection [duplicate]
  16. Why is using a mysql prepared statement more secure than using the common escape functions?
  17. Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?
  18. How to best store user information and user login and password
  19. how safe are PDO prepared statements
  20. encrypt and decrypt md5
  21. “slash before every quote” problem [duplicate]
  22. How to create a laravel hashed password
  23. a better approach than storing mysql password in plain text in config file?
  24. Fastest hash for non-cryptographic uses?
  25. Best way to connect to MySQL with PHP securely [duplicate]
  26. Im trying to create some temporary tables in mysql using php
  27. Convert latin1 characters on a UTF8 table into UTF8
  28. Php – Your PHP installation appears to be missing the MySQL extension which is required by WordPress
  29. MySQL GROUP BY and Fill Empty Rows
  30. mysql injection damages?

Leave a Comment