I’m trying to come up with a good way to avoid directly using ID’s in URL’s to look up table entries. The main reason is that for privacy reasons, I don’t want my users to be able to simply change, say, /?unique_id=10 to /?unique_id=11 and see someone else’s information.
I’ve noticed many sites use randomly generated strings, but what’s the best structural implementation of something like this?
Thanks!
Oh, and I doubt it matters, but I’m using PHP.
EDIT:
The information contained on the pages is public information. That is, anyone with the link should be able to access the page without trouble. What I want to prevent is people simply iterating through IDs and seeing everything in the database. I prefer that only people that have been given a link access the page. That said, it’s not a huge problem if a random person stumbles across it.
Also, I don’t want people looking at the ID to figure out how many total entries there are.
You probably need some kind of user check to make sure people arent seeing other peoples records anyway, but using a GUID for this is a good start.
You could use a hash of something like record1, record2 etc, but a determinted hacker could easily do this.
Another option is to use record aliases so each record has a string that represents it which you then use as the key. You often see this in wordpress or other CMS systems.
So if your id refers to a post maybe take the title and replace spaces with –
eg. http://www.example.com/article.php?id=Summer-is-the-best-time-of-year