9

I used the solution accepted for this question for encrypting by id for example in /index.php?id=3 . The problem is I cannot send the encrypted value as an url, example /index.php?id=dsf13f3343f23/23=. Because sometimes it will have weird characters in the url e.g. notice the = sign in the end

Improve this question
1
  • 1
    @Michael J.V. : Would like to encode the key to stop people from crawling our data by looping through the ids. Whats wrong with it? Whats the best / better solution? Commented Apr 17, 2011 at 10:18

4 Answers 4

Reset to default
21

The weird characters in the values passed in the URL should be escaped, using urlencode().


For example, the following portion of code :

echo urlencode('dsf13f3343f23/23=');

would give you :

dsf13f3343f23%2F23%3D

Which works fine, as an URL parameter.


And if you want to build aquery string with several parameters, take a look at the http_build_query() function.

For example :

echo http_build_query(array(
    'id' => 'dsf13f3343f23/23=',
    'a' => 'plop',
    'b' => '$^@test', 
));

will give you :

id=dsf13f3343f23%2F23%3D&a=plop&b=%24%5E%40test

This function deals with escaping and concatenating the parameters itself ;-)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hey Pascal! may i ask you a simple question when we have an encoded url with characters like ' it gives us %27, now is there any security concerns about these percent numbers?? or any other problems with url encoding besides that the %27 looks very ugly.
4

Use PHP's urlencode() function to encode the value before you put it into a URL.

string urlencode ( string $str )
This function is convenient when encoding a string to be used in a query part of a URL, as a convenient way to pass variables to the next page.

This function converts "weird" characters, such as =, into a format safe to put into a URL. You can use it like this:

Header('Location: /index.php?id=' . urlencode($id))
Improve this answer

Comments

4

If you use Base64 to encode the binary value for the URL, there is also a variant with URL and filename safe alphabet.

You can use the strtr function to translate one from alphabet to the other:

$base64url = strtr($base64, '+/', '-_');
$base64 = strtr($base64url, '-_', '+/');

So you can use these functions to encode and decode base64url:

function base64url_encode($str) {
    return strtr(base64_encode($str), '+/', '-_'));
}
function base64url_decode($base64url) {
    return base64_decode(strtr($base64url, '-_', '+/'));
}

See also my answer on What is a good way to produce an short alphanumeric string from a long md5 hash?

Improve this answer

2 Comments

I've implemented this so many times and seems to be easiest way (if you still want to go this route).
@Gumbo There is an extra closing parenthesis in your base64url_encode function.
1

There is no use in encrypting parameters.
Send it as is:

/index.php?id=3

nothing wrong with it.

Improve this answer

3 Comments

Unless you are using a social security number or something similar as a primary key.
should you use it as a primary key at all?
I'm sure there are some applications where it might be useful.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.