CODEWITHSUNDEEP
phpget
Daanvn
Daanvn

Reputation: 1266

PHP, Get $_GET to ignore numbers from url

I am currently using a programm to send newsletters, in every newsletter I am sending a link so the customer can look at his own data and sub/unsub from newsletters. The link I am using now is this: http://localhost/Mail/subscriptionseditklant.php?ID=77 and is made with this code:

<a href="subscriptionsedit.php?page=1&ID=<?=$objResult["ID"];?>">subscriptions</a>

For security reasons I dont want to show the customer ID=77 part so he can't modify it to look at other customers info. My idea was to hide the ID inside random numbers (4 in front and 4 behind the ID) which I have done using this:

<a href="subscriptionsedit.php?page=1&ID=<? echo rand(1000,9999); ?><?=$objResult["ID"];?><? echo rand(1000,9999); ?>">subscriptions</a>

This will display a link like this one: http://localhost/Mail/subscriptionsedit.php?page=1&ID=9755774430

On the subscriptionsedit.php I am using $_GET to get the ID from the url.

My question:
Is there any way I can get $_GET to ignore the first 4 and last 4 numbers from the ID so it will capture the right ID?

I have tried to google for something like this but since I dont know how it is called (if it even exists) I was not able to find anything. I hope my question is clear but if you have any question just ask them! (Also if anyone knows a better title for this question feel free to edit it because I have no idea how to name this question)

Upvotes: 3

Views: 1308

Answers (11)

Ja͢ck
Ja͢ck

Reputation: 173562

Instead of trying to hide the id, you could use a mapping table on the server with two columns: primary(hash), id

The hash can be a random blob, but for readability you could use a uuid as well, e.g.

hash                                 | id
-------------------------------------+----
9d76d130-0119-4d7a-9eed-95ad3617e512 | 123

Then, use the hash inside the url. The advantage of a random hash is that there's no correlation between the hash and the id, other than the server-side table.

A smaller hash could be obtained by using uniqid() and md5() or sha1():

sha1(uniqid('', true));

Alternative

If the ID itself is public but you just want to avoid tampering, look into hash_hmac():

$salt = md5(uniqid('', true));
$signature = hash_hmac('sha1', $id . $salt, 'some super secret key');

Generate the key using something like base64_encode(openssl_random_pseudo_bytes(8))

You can add this $signature and $salt to the URL as well and then verify it when you receive it.

$id = $_GET['id'];
$salt = $_GET['salt'];

if (hash_hmac('sha1', $id . $salt, 'some super secret key') === $_GET['signature']) {
    // valid
}

Upvotes: 2

Gianluca Ghettini
Gianluca Ghettini

Reputation: 11628

your subscriptionsedit.php script should accept the customer ID and look for

$_SESSION["PASSWORD"]

previously set by the user as a result of the login process, something like:

subscriptionsedit.php?page=1&ID=77

look at password stored in the $_SESSION["PASSWORD"] field

doing that way it will not be possible to sneak inside the data of other customers because $_SESSION[] is private information held by the server for every user

Upvotes: 0

RK.
RK.

Reputation: 981

$id= substr($_GET['ID'], 4, -4);

Upvotes: 1

Ruslan Polutsygan
Ruslan Polutsygan

Reputation: 4461

this will work

$id='1234554321';
preg_match('/\d{4}(\d+)\d{4}/', $id, $matches);
var_dump($matches[1]);

But..

I wouldn't do that.

I would generate some unique string, store it database and provide it to end user. So that url would be lilke this

example.com/view.php?token=<unique-string>

see http://php.net/manual/en/function.uniqid.php to get unique string.

Upvotes: 0

Michael Giovanni Pumo
Michael Giovanni Pumo

Reputation: 14774

You could use substr() in PHP to extract the ID you need.

Something like this?

<?php echo substr($_GET['ID'], 4, -4); ?>

BUT, this is a horrible horrible idea for 'security' reasons.

You would be better off using an ID that isn't incremental and therefore 'guessable'. Try using a md5() function or something to generate an additional ID, as well as your primary key to store in the database.

http://php.net/manual/en/function.md5.php

Upvotes: 0

Robert
Robert

Reputation: 20286

Hiding number is poor solution, the better one is to encrypt this number via http://php.net/manual/en/function.mcrypt-encrypt.php

of course you can ignore letters cast this $_GET['var'] to char array and then use range for example

$_GET['var'] = 123543123;

to get 543 you need to use function substr():

$hidden_number = substr($_GET['var'],3,3);

Upvotes: 2

Sudip
Sudip

Reputation: 2051

Use encrypt and decrypt functions in PHP. Do not believe in your own algorithms. Otherwise you can use substr() in php.

Upvotes: 0

Elliot Lings
Elliot Lings

Reputation: 1106

$ID = substr($_GET['ID'], 3, -4);

http://www.php.net/manual/en/function.substr.php

Upvotes: -1

andrew
andrew

Reputation: 2098

You can use substr() function to remove the first 4 and last 4 characters from your string. But better yet, just encde your id using build-in php encryption function

Upvotes: 0

Haocheng
Haocheng

Reputation: 1343

You can use 

preg_match('/^\d{4}(\d{4})/', $_GET['id'])

Upvotes: -1

Kaffee
Kaffee

Reputation: 1553

check the manual for substr method: http://php.net/substr

something like

$id = substr($_GET['ID'],4,-4);

should do the trick you want

Upvotes: 1

Related Questions