Hide database record ID in php mysql

Need to know how to mask or hide records displaying in the url. i.e. http://somewhere.net/page/info.php?prod=123.  Is there a way to mask that so users can't change the "123" to another number and pull data from another record?
HITmen07Asked:
Who is Participating?
 
Greg AlexanderConnect With a Mentor Lead DeveloperCommented:
I have come up with an accorythm in the past to fix this issue such as embed the number in a random string and have a way to un encode it when you pull it... so for the most part the user won;t be able to figure it out thus getting an error when they change it.


For example

index.php?rm=Un2992nN445shhw

And then on the recieving page you can pull then number out of that such as 245 is the id aand would be harder to figure out.. I have made some complicated ones in the past to better deal with it, but you get the idea... I hope
0
 
Greg AlexanderLead DeveloperCommented:
algorithm* not accorythm! sorry
0
 
Ray PaseurConnect With a Mentor Commented:
This teaches how to generate a random unique string.  You can use the string for the keys.  It is quite unlikely that a client can guess the other keys.  You can see the script in action here:
http://www.laprbass.com/RAY_random_unique_string.php

You might also consider keeping the keys in the $_SESSION array.  Just a thought, ~Ray
<?php // RAY_random_unique_string.php
error_reporting(E_ALL);
echo "<pre>\n";

// GENERATE A SHORT UNIQUE RANDOM STRING FOR USE AS SOME KIND OF KEY
// NOTE THAT THE DATA BASE MUST HAVE THE rand_key FIELD DEFINED AS "UNIQUE"
// NOTE THAT THE LENGTH ARGUMENT MUST MATCH THROUGHOUT
define('ARG_LENGTH', 6);

// IMPORTANT PAGES FROM THE MANUALS
// MAN PAGE: http://us2.php.net/manual/en/ref.mysql.php
// MAN PAGE: http://us2.php.net/manual/en/mysql.installation.php



// CONNECTION AND SELECTION VARIABLES FOR THE DATABASE
$db_host = "??"; // PROBABLY 'localhost' IS OK
$db_user = "??";
$db_word = "??";


// OPEN A CONNECTION TO THE DATA BASE SERVER
// MAN PAGE: http://us2.php.net/manual/en/function.mysql-connect.php
if (!$db_connection = mysql_connect("$db_host", "$db_user", "$db_word"))
{
   $errmsg = mysql_errno() . ' ' . mysql_error();
   echo "<br/>NO DB CONNECTION: ";
   echo "<br/> $errmsg <br/>";
}

// SELECT THE MYSQL DATA BASE
// MAN PAGE: http://us2.php.net/manual/en/function.mysql-select-db.php
if (!$db_sel = mysql_select_db($db_name, $db_connection))
{
   $errmsg = mysql_errno() . ' ' . mysql_error();
   echo "<br/>NO DB SELECTION: ";
   echo "<br/> $errmsg <br/>";
   die('NO DATA BASE');
}
// IF WE GOT THIS FAR WE CAN DO QUERIES





// FUNCTION TO CREATE A DATABASE TABLE
function create_myTable()
{
    $length = ARG_LENGTH;

    mysql_query("DROP TABLE IF EXISTS myTable");
    $psql  = "CREATE TEMPORARY TABLE myTable ( ";
    $psql .= "_key        int(8)            NOT NULL AUTO_INCREMENT, ";
    $psql .= "rand_key    varchar($length)  UNIQUE NOT NULL DEFAULT '?', ";
    $psql .= "other_data  varchar(128)      NOT NULL, "; // AS NEEDED BY YOUR APPLICATION
    $psql .= "PRIMARY KEY(`_key`) ";
    $psql .= " ) ENGINE=INNODB DEFAULT CHARSET=ascii";
    if (!$p = mysql_query($psql)) { die( mysql_error() ); }
}





// FUNCTION TO MAKE A RANDOM STRING
function random_string()
{
// POSSIBLE COMBINATIONS = pow($length,strlen($chr)); = 4.6E18 IF LENGTH IS 4
//         1...5...10...15...20...25...30......
   $chr = "ABCDEFGHJKMNPQRSTUVWXYZ23456789";
   $str    = "";
   while(strlen($str) < ARG_LENGTH)
   {
      $str .= substr($chr, mt_rand(0,(strlen($chr))), 1);
   }
   return($str);
}





// FUNCTION TO ENSURE THE RANDOM STRING IS UNIQUE
function make_random_key()
{
    $length = ARG_LENGTH;
    $rand_key = '';
    while ($rand_key == '') // GENERATE A UNIQUE AND RANDOM TOKEN
    {
        $rand_key = random_string($length);
        $isql     = "INSERT INTO myTable ( rand_key ) VALUES ( \"$rand_key\")";
        if (!$i   = mysql_query("$isql")) // IF QUERY ERROR
        {
            $err   = mysql_errno();
            if ($err == 1062) // DUPLICATE UNIQUE FIELD ON rand_key
            {
                $rand_key = '';
            } else
            {
                /* HANDLE FATAL QUERY ERROR ($isql) */
            }
        }
    }
    return $rand_key;
}




// SHOW HOW TO MAKE LOTS OF UNIQUE AND RANDOM STRINGS
create_myTable();

$kount = 0;
$array = array();
while ($kount < 25)
{
    $array[] = make_random_key();
    $kount++;
}

print_r($array);

Open in new window

0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
HITmen07Author Commented:
Not sure how to implement your solution into my database Ray.
0
 
Ray PaseurCommented:
Generate the random keys and use them for your keys to the rows of your data base.  Did you read the code and check the output from the link posted above?  I am not sure how I could explain it more clearly but if you have a specific question, please post back and I will try to help.
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
Ray PaseurCommented:
I think galexander07 and I both offered good solutions.  No big deal if you want to delete it, but since I use the random key algorithm in practice, I know it works. ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.