4

I'm working on a new application, and in order to obscure the perception of its infancy, I'd like to obscure any instances that could reveal this, for example,
$postId=000001. Instead we'd get $postId=sH4d6s8d. Something short-ish, but unique.

I've read through a few other questions, unfortunately most answers devolve into security concerns. Application security isn't an issue here, I'm just looking for a way to pass an obscure representation of a row id through GET, and have that URL be sharable, meaning multiple user machines can interpret the obfuscation.

I skimmed over surrogate keys for MySQL, XOR, but I'm pretty green and my comprehension went mush quickly. What's the appropriate solution here? Any examples? Thanks.

Update

Decided on a simple XOR + urlencode solution. i.e:

$v = urlencode($var ^ $key)
$v = (urldecode($v) ^ $key)

From testing so far, this seems great for my purposes. However, looks like Firefox auto-decodes urlencode for display, defeating the whole purpose of the idea:

$v = r%5CQXr%5CQXr%5CP
<a href="whatevs.php?id=$v">link</a>

// Firefox renders the below anywhere link is visible (besides source)

whatevs.php?id=r\QXr\QXr\P

This is annoying. While the id is still obscured and the source is sill "traditionally" urlencoded, those characters don't look natural in a url. But the real problem is anyone who copy/pastes the link won't get the correct resource.

Is there a easy fix for this?

PHPeer
  • 659
  • 1
  • 7
  • 20
  • 4
    Why don't you seed your IDs at a larger number? – eggyal Jul 31 '12 at 16:57
  • 2
    possible duplicate of [PHP random URL names (short URL)](http://stackoverflow.com/questions/5422065/php-random-url-names-short-url) – PeeHaa Jul 31 '12 at 16:59
  • 1
    $postID = $baseNumber + $realNumber – Don Jul 31 '12 at 16:59
  • OK, I lied. These are great comments, but don't quite fit the bill. The dupe is a shortener, and doesn't account for simple id's, like '0000001'. Is trying to obscure such a low integer unheard of? Just attaching another number is also slightly off, would rather obscure the entire string. – PHPeer Jul 31 '12 at 18:58

2 Answers2

1

You say it's not a security problem, but why do you want secure your GET params ? If your aim is to hide the real value, then it's a security problem ^^ If you want only create a bijection between number and obfuscated code, you can use an inversible function like base64_encode, but anyone will be able to decode it.

Jérôme Boé
  • 2,752
  • 4
  • 21
  • 32
  • 2
    Base64_encode might be the best solution, it's just long and recognizable. Like you said, I just want the id to be perceived differently than it's actual value. In this particular scenario, knowing that true value is not an application-security issue, it's a marketing-security issue. – PHPeer Aug 01 '12 at 17:58
1

Xor + convert it to base 36 + reverse the string?

$key = 123456789;
$post_id = (1 ^ $key);
$post_id = strrev(base_convert($post_id, 10, 36));
echo $post_id;
ggiroux
  • 6,544
  • 1
  • 22
  • 23