Is is a bad practice to show database values in g开发者_Python百科et method for security point of view? for example:- 'http://example.com/user/id/10' where 10 takes value from database.
Please can anyone suggest me a standard encoding and decoding algorithms that takes two parameter (both for encoding and decoding) so that one can be stored as a variable in php file(or in database) and the other parameter being a string to be encoded or decoded.
Thank you in advance
I would answer the first part of your question:
Is is a bad practice to show database values in get method for security point of view? for example:- 'http://example.com/user/id/10' where 10 takes value from database.
Not really, it depends on what the 'page' is doing with the id/10. If you are simply displaying user information (profile), what is the harm? However if you want to mask your URLs that is all up to you. I have seen masking using encryption, however I'm curious why you think the URL will be 'harmful' ? Do you just not want a user to see id = 10? I would focus on making my php/sql query on that page secure rather than add additional overhead for encrypting something that is harmless (from my point of view).
EDIT:
For simplicity sake, you could utilize the php function base64_encode
and decode: http://us.php.net/manual/en/function.base64-encode.php
That should give you enough. But I really would think about WHY you want to hide it in the first place, generally 'easy to read' urls are always a bonus, especially when it comes to search engine optimization.
The only risk is if you don't have your site permissions security setup correctly. Matching your data by database id is fine, it's just easy to understand. If someone wants to crawl all your data all they have to do is increment the url.
If you don't want people to be able to access certain "ids" just make sure they have the proper login credentials to see that page.
Now if you want to encrypt/decrypt easily, look into using md5 hashes: http://php.net/manual/en/function.md5.php
精彩评论