PHP Hide id from being shown in a href url

Question

I have two MySQL tables. The first one is for the user's credentials i.e. username, password, business_id (system generated). The second one has the user's profile for multiple entities e.g. business name, location, profile_id and business id (system genrated - the same number for the business_id).

The user can edit the details of their business details i.e. their details in the second table. The business id would be say 'abcdef' and profile id would be say 1234567, if they have a second business profile it would be say 1235879.

In order to edit each profile I would have to have the following URL

<a href="edit_profile.php?id=1234567">Edit Business Profile</a>

For the second one it would be

<a href="edit_profile.php?id=1235879">Edit Business Profile</a>

In turn when the a href is clicked the url in the browser would be edit_profile.php?id=1234567 and for the second one would be edit_profile.php?id=1235879

Would it be possible that instead of having edit_profile.php?id=1234567 and edit_profile.php?id=1235879 in the URL I would have edit_profile.php?id=1234567 and for the second one would be edit_profile.php

I don't want the User to see the id i.e. have only edit_profile.php

Ideally, I would like to use a PHP solution, please.

Answer 1

Easiest and simplest way to handle your situation if you want to use Id or any information in URL and pass it through URL then you can have a scret combination with your values like below Firt you have to encode the value with your secret stuff for example

$sshhh="ITSMY_SECRET_VALUECODE";
$encrypted_id = base64_encode($your_value . $sshhh);

Then pass it (encrpyted_id) in URL for example href="all-jvouchers.php?id=<?= $encrypted_id; ?>

and while getting value use below code to get back your value

$sshhh="ITSMY_SECRET_VALUECODE";    
$decrypted_id_raw = base64_decode($_GET['id']);
$decrypted_id = preg_replace(sprintf('/%s/', $sshhh), '', $decrypted_id_raw);

Use $decrypted_id wherever and however you want to securely

Answer 2

Store the id in session on the first page:

$_SESSION['id'] = 12345;

And on edit_profile.php you can get the value by:

$id = $_SESSION['id'];

And start the session on every page by session_start();

Answer 3

Start your PHP with session_start(); then when the user logs in make a session value for the ID:

$_SESSION['profile-id'] = 1235879; //Select it from database

after in your edit_profile.php do that:

if (!isset($id)) { 
    $id = $_SESSION['profile-id'];
}

And then edit the $id.

Answer 4

Yes, it is possible, but not exactly what are you trying to do

---

Solution #1

Intoduction

First of all, it should work only on users who are currently logged in and are trying to see their profile. The final results to reach is to not display ID in URL if ID is equal to current logged user's ID. It is more common than Solution #2 but if you want to hide all IDs, skip this solution.

Pluses:

• There is not too much to change, just add a few more lines for checking current user ID
• You can still use <a></a> tags for Edit Business Profile links.

Minuses:

• Only current logged user's ID will be hidden in the URL

So what to do...

You probably use sessions to let users remain logged in even if they refreshed the page. You are on the right path, but you should add at least one more element to $_SESSION (Profile identification, so we can call it as profile_id for example).

Assume you are using this login formula:

function check_login($username, $password)
{
    // query to find user with these inputs (encrypted password, prepared statements, etc)

    if($query->num_rows > 0) // user exists
    {
        // fetch your query
        // ...
        session_start();
        // set the session probably user is logged
        // some return on success (probably redirect)
    }
    else
    {
        // some return on false
    }
}

Now you should add one more $_SESSION element to save your current profile_id value:

session_start();
// ...
$_SESSION['profile_id'] = $result->profile_id; // <--- THIS IMPLEMENT
// some return on success (probably redirect)

1/2 is done!

Half of the problem is already finished, now all you need to do is compare $_GET input with $_SESSION.

Again, assuming your edit_profile.php file looks like this:

if(isset($_GET['id']) && !empty(trim($_GET['id'])))
{
    $profile_id = intval($_GET['id']);
    // ...
}
else
{
    // probably an error profile id is not defined
}

// rest of the code ...

So now instead of error profile id is not defined we can assign to $profile_id variable index profile_id of superglobal $_SESSION:

else
{
    $profile_id = intval($_SESSION['profile_id']);
}

Notice that I am assuming you have condition to reject access to this script, if user is not logged (some condition at the start).

Now your code should work but maybe you are asking the question what if user knows his ID and types it into URL?

So you have two choices:

• Let it be as it is
• Add condition to check if $_GET['id'] equals to $_SESSION['profile_id'] then redirect to edit_profile.php

Final thoughts...

Maybe if you are generating the list of the users, where the user can edit the others' users profiles including himself's, you want to remove id parameter of the edit_profile.php URL if the user's ID is equal to current ID in fetch loop. You can inspire by this simple function:

function generate_profile_edit_url($id)
{
    session_start(); // for the case, you don't have started session yet

    return '<a href="edit_profile.php' . ($_SESSION['profile_id'] == $id ? '' : '?id=' . $id) . '">Edit Business Profile</a>';
}

Just in every fetch iteration you will use this function, like in the example below:

// ...
echo generate_profile_edit_url($result->profile_id);
// ...

---

Solution #2

Introduction

This solution will reach to the editing user's profile without any ID parameter in URL. It is designed for situation where user has rights to edit someone else's profile (for example, a moderator or an admin) and you still don't want to have the users' ID in the URL.

Pluses:

• No ID parameter in URL needed for all users

Minuses:

• you have to change every profile link to little form using POST action without JavaScript knowledge
• no more <a></a> links for profile edit, again without JavaScript knowledge
• users are still able to get their id if they want to

So what to do...

Firstly, we need to change edit_profile.php file. We have to recieve $_POST data containing target's profile_id.

Like in Solution #1, assume your edit_profile.php looks like:

if(isSet($_GET['id']) && !empty(trim($_GET['id'])))
{
    $profile_id = intval($_GET['id']);
    // ...
}
else
{
    // probably an error profile id is not defined
}

// rest of the code ...

Most of the changes will be just replacing $_GET with $_POST:

if(isSet($_POST['profile_id']) && !empty(trim($_POST['profile_id'])))
{
    $profile_id = intval($_POST['profile_id']);
    // ...
}
else
{
    // probably an error profile id is not defined
}

// rest of the code ...

For this file, it is enough.

Now there is some more work to do if you have a placed profile links in different files. But we can make it easier using one simple function like this:

function get_profile_edit_button($profile_id)
{
    $html = '<form action="edit_profile" method="POST">';
    $html .= '<input type="hidden" name="profile_id" value="' . intval($profile_id) . '">';
    $html .= '<input type="submit" value="Edit Business profile">';
    $html .= '</form>';

    return $html;
}

The last thing is replace current edit profile links with this function. For example you have fetch loop of users:

// ...
echo '<a href="edit_profile.php?id='" . $result->profile_id . '">Edit Business Profile</a>';
// ...

So you will replace this string with your function get_profile_edit_button():

// ...
echo get_profile_edit_button($result->profile_id);
// ...

Final thoughts...

As I mentioned in minuses, profiles' ids cannot be totally hidden. If someone opened Source code of your page, he can see profile_id in hidden form type:

<input type="hidden" name="profile_id" value="1234567">

It is only on you what solution you prefer, but I can recommend you Solution #1. There is nothing bad about having IDs in URL. Stack Overflow has it too as you can see it on questions, answers, comments and users.

---

Useful resources:

• PHP Session Security
• PHP form token usage and handling

Answer 5

Try this

<?php
    session_start();
    include('dbconnect.php');
    if(isset($_SESSION['username']))
    {
        $username = $_SESSION['username'];
        $userid = $_SESSION['id'];
    }

    else
    {
        $_SESSION['id'] = "";
        $_SESSION['username'] = "";
    }

    if($username <> "")
    {
        $username = 'username';
        $userid = 'id';
    }

    if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 900))
    {
        // last request was more than 30 minutes ago
        session_unset();    // unset $_SESSION variable for the run-time 
        session_destroy(); // destroy session data in storage
    }

    $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
?>

then

<?php
#if the form is set (meaning that the information was submitted then define what the parameters are for each
if(isset($_REQUEST['username']) == TRUE)
{   
        $username = $_REQUEST['username'];
        $password = $_REQUEST['password'];  

        #make sure there are no blank fields
        if($username == "" OR $password == "")
        {
                echo '<p class="text-danger">Please enter a Username and Password</p>';
        }
        else
        {
            $userid = finduser($username, $password);
            if($userid > 0)
            {
                loginuser($userid);
            }

            else
            {
                echo '<p class="lead text-danger">The Username and/or Password enter is incorrect</p><br />';
            }
        }
    }
?>

after that then this

<?php
    if(isset($_SESSION['username']))
    {
        if($_SESSION['username'] <> "")
        {
            //do something
        }

        else{
                //form or something else
?>

<form>form goes here</form>
<p> or something else you want</p>

<?php
    }
}
?>

Answer 6

If the user can edit multiple business profiles, the $_SESSION solutions would not work. You would need to disguise what gets sent to the address bar:

You would need to change your code to POST the data rather than sending it as a GET request.

To do this you could either use JavaScript to fake a form post on the link click, or wrap your link in a form tag and set method="POST".

POST sends the data "behind the scenes" rather than exposing it in the browser. I should add that this would still be visible to anyone wanting to discover your IDs, but it would hide it from the casual user at least.

If you really wanted security, @BobBrown's suggestion to tokenise would be a great way forward. You may find, however, that just hiding the ID from display on-screen is enough. Just make sure your user management system will restrict who can edit a particular business.

Answer 7

When logging in, try saving the user ID and business ID inside session.

As for example..

$logged_in = some_logic_stuffs();

if($logged_in){
  session_start();
  $_SESSION['user_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
   $_SESSION['business_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
}

Now, when user goes to edit_profile.php, do

session_start();

$business_id =  $_SESSION['business_id'];
$user_id =  $_SESSION['business_id'];

For the login logic, try reading this tutorial:

http://www.formget.com/login-form-in-php/