How to hide MySQL generated ID in URL

Question

Right now I can get the information for a product in my database by simply using its ID in the URL lik so: http://www.example.com/?productID=5
Now I can guess the next one since these IDs are all auto incremented.
How would you hide this ID and replace it with something better? I mean it still has to be a unique identifier.
To complicate it a little I was thinking I could use a global unique identifier and add this in the database in another column. But I have the feeling that this is not the best way to do this :)
Please let me know your thoughts and tell me how you solved/would solve this in your project.

What I basically want is to get rid of knowing the next/previous ID.

There are no security limitations on the products themselves. Users are most likely allowed to see them. I was thinking that this technique could prevent crawling all products?!?

Like what amazon.com does: It looks like they hide the item's ID in some way, right?

Answer 1

A solution to this is to use post instead, this is just a quick mashup i did.

<?php

//how to handle the request
if(isset($_POST['transfer']) && !empty($_POST['transfer']))
{
    $transfer = $_POST['transfer'];

    //what to do?
}

?>

//how to make a link with id 5
<a href="javascript:transfer('5');">link</a>

//this is for the functionality
<form id="transfer_form" action="http://www.example.com/" method="POST">
    <input type="hidden" id="transfer" name="productID" value="" />
</form>

//this should be placed within the <head>
<script>
function tranfer(link)
{
    document.getElementById('transfer').value = link;
    document.getElementById('transfer_form').submit();
}
</script>

Answer 2

you can use some kind of hashing algorithm like md5(), sha1() etc... and yes, it is better to store that hash in another column in your table for faster lookup.

If you use md5() it is a good practice to seed it with fixed or random salt string. My favorite is to do it with microtime().

Generate hash before db insert:

$salt = "my_secret_salt_string";
$entry['hash_code'] = md5($salt . microtime()); // every time a different result is generated which will ensure uniqueness
// insert into ...

Or if you prefer using generated id as a salt, then update entry:

// insert into ...
// get id
$entry['hash_code'] = md5($id . microtime());
// update ...

Answer 3

First of all, have a look at mod_rewrite.

I am making use of CakePhp, this allows me to have easy access to urls created by the .htaccess rules. In my case, my titles are 100% unique, which allows me to have a slug version of the title.

For example my title is SZD-51 Junior, this will become SZD-51_Junior. I just add this slug to my database and use this as a secondary unique identifier. When a user visits www.example.com/planes/SZD-51_Junior I can do something like:

// pseudo mysql
SELECT *
FROM table
WHERE slug = url_param

//in cakephp
$this->Plane->findBySlug($this->params['slug']);

There are a lot of approaches, what would you like the url to become? Which format?

Answer 4

You could also use a slug which works great for SEO. so Product 1 slug could be http://www.example.com/?productSlug=exampleitemnameasoneword You just have to make sure slugs are unique. You would of course need a slug field in your database entry and be able to enter/edit it.