I was just wondering if it was possible to add random characters to the variable I am passing to the second page. I want this because if the user changes the value in the url, then the system is gonna mess up because I am inserting data to database based on the message id. I can't use session because the first session is overriding the others.
If I have something like view_inbox.php?messageid=2 then the user can change it to something view_inbox.php?message=4.
So is it possible to have some random characters like
view_inbox.php?messageid=GXLSsd2sdcds? The id is coming from database.
echo"<a href='view_inbox.php?messageid=".$row['id']."'>".$row['from_user']."</a>";
view_inbox.php
$id = $_GET['messageid'];
There are a couple of approaches.
You should be checking security rules on which rows/entities the user is allowed to access. Put these rules in a common procedure/function in your code, so you can check them consistently.
You can also "obfuscate" or encrypt the ID, in a way the server can reverse but is not easy/obvious for the client. Operations could include multiplying by a prime number (say 23) modulo 2^32, XOR by a constant, outputting it in base-64, perhaps with a lowercase 'x' in front.
For the second approach:
function encodeKey ($key) {
$multiplied = $key * 23;
$packed = pack( "N", $multiplied);
$base64 = base64_encode( $packed);
return $base64;
}
function decodeKey ($text) {
$packed = base64_decode( $text);
// then unpack, divide etc.
return $key;
}