How do I change an URL ID to a more secure (unguessable) number?

Question

Just trying to do some security on my website and trying to figure out the best route to secure an ID into another number.

EXAMPLE: http://localhost/page.php?id=190 TO: http://localhost/page.php?id=2234923498734

Answer 1

A simple bitwise XOR with a salt you give you fast and easy results (here the salt is 123456789):

php > echo (190 ^ 123456789);
123456939
php > echo (191 ^ 123456789);
123456938
php > echo (192 ^ 123456789);
123456981
php > echo (193 ^ 123456789);
123456980
php > echo (194 ^ 123456789);
123456983

with the nice fact that the XOR is a bijection:

123456983 ^ 123456789 = 194

So reusing the same salt on the given id will gives you the real id. But as said by @mightyuhu the problem is now math, you should maybe add the 'math' tag to get some more complex bijections.

Answer 2

You are looking for a hash-function like md5(). (With salting of course) Or you could think of any injective math-function you like to make your real id harder to guess..

Answer 3

You could also use the base64_encode function if you need an easy way to hide the id from users (base64_decode is the opposite function used to decode base64 encoded stuff).

Do note that base64 encoding doesn't make your data more secure just obfuscated enough for your visitors not to be able to read the id immediatelly.

Answer 4

You can try using md5($id), then store the md5 of the ID in the database and look up the record based on that.