Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

why does encryption not work if $id is large number

encryption works unless
$id is greater than a 9 digit number

echo '<table>';
for ($id = 13;$id<40;$id++){

$key = "az09".md5("!rgb192".$id).urlencode("==");
$url = "http://www.server.com/queryscript.php?ID=$id&key=$key";
echo '<tr><td>'.$id.'</td><td>'.$url.'</td></tr>';

$id = intval($_GET["id"]);
$key = $_GET["key"];
$keyShouldBe = "az09".md5("!rgb192".$id).("==");
echo '<tr><td></td><td></td></tr>';
echo '<tr><td>'.$id.'</td><td>'.$key.'</td><td>'.$keyShouldBe.'</td></tr>';

echo '</table>';

if($key != $keyShouldBe)
    // The special key doesn't match, so it's probably some malicious user trying to break in. 
   echo '<br>error';
    //sleep(5); // Slow the user down.
    //die(); // Stop the script completely from continuing.
  echo '<br>works';

Open in new window

  • 2
2 Solutions
Robert Sutton JrSenior Network ManagerCommented:
You have a billion IDs or more? That's pretty impressive.

I'm going to guess that it's because you're reaching the 32-bit signed integer range. The intval() is usually a good way to force a number to be numeric.

If you do:

echo intval(2147483647) . "<br>\n";
echo intval(2147483648) . "<br>\n";

You should see:

This is because the 32-bit integer range goes from:
-2147483648 ... all the way to ... 0 .... all the way to 2147483647

So if you try to intval() a value over 2147483647, it will start back at -2147483648 again.

Instead of intval(), just use + 0, like this:

$id = $_GET["id"]+0;

It will also force the value to be numeric, but if your system is capable, it will go beyond the 32-bit range.
For the record, I work on enterprise applications all the time (including mass mailers), and I rarely seen database tables get to the size of having billions of records. By the time they reach that sort of ID range, the data gets archived for performance reasons, and things start back at 0, or else there is a multifactor ID.

Either way, I'd suggest you double-check to make sure that your application isn't generating billions of unnecessary records, or storing more than it needs to in the database.
rgb192Author Commented:


Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now