Reputation: 2722
Encrypting $_GET variable in URL so user cannot access other profiles
I want to be able to email my clients a link to their profile. The link looks something like this;
https://www.example.com/admin-area/files/edit_tenant.php?tenant_id=37
I don't want the user to be able to change the '37' to '38' and edit another person's profile.
I'm thinking I need to encrypt the '37' in some way. I've done my research online but think I might be over thinking it as I've started coming across 'salts', etc.
I'm after a simple but secure solution using PHP.
Thanks in advance.
Upvotes: 1
Views: 283
Answers (4)
Reputation: 1952
Define a "token" field in your users table. When a user signs up in your system produce a random string (lets say 40 characters) and insert this token as well as other information. So when U want to look up for a user , Look for him/her with his token, instead of id. In this way no one can guess others token!
In order to generate random string you can use the function below:
function generateRandomString($length = 40) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$charactersLength = strlen($characters);
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[random_int(0, $charactersLength - 1)];
}
return $randomString;
}
Note: random_int() is a PHP 7 function, but there is a polyfill available for PHP 5.
Upvotes: 4
Reputation: 617
Don't allowing to in(de)crement id it is the right way! You'd look at this page. Shortly: you dont have to use hashing/obfuscate functions. Instead you'd generate uniue random ids(for example UUIDs).
Upvotes: 0
Reputation: 77
something you can do is:
- When you are creating the email link, use the simple md5 function to encrypt the id.
$token = md5($tenant_id); // i.e.output: a5bfc9e07964f8dddeb95fc584cd965d
Save the "token" into the db for that user (you can add a column named token or something like that).
When the user goes to the profile with the tenant_id param (I'd use "token" o just "t" to give less info to possible attackers), look for that value in the db searching by the new column you added.
Done, and you don't need to know more about encrypting :)
Upvotes: -2
Reputation: 817
I agree with Mario what this probably isn't the best idea ever, security wise... However if you absolutely have to be able to give users such access then you can use the php hash functions. Create a hash based off of the userID+Email/some other identifier and save that to the db... Then use that as your userID=
Info on hash functions :http://php.net/manual/en/function.hash.php
Upvotes: -1
Related Questions
- Encrypting data in url
- How to encrypt the $_GET data in php?
- Encrypt parameter in url
- Hiding URL variables/values in a query string. PHP
- How can I hide a $_GET variable to be more secured in PHP?
- How can I encrypt an URL (or rather the GET parameter part of it) using PHP?
- How to encrypt get data in URL
- $_GET Variables - How to ensure privacy?
- Encrypt PHP query string value in URL
- How to 'encrypt' information passed along in URL when redirecting in PHP?