php - generate non linear urls

Update:

Ok.. I have read a lot of solutions... Thank you so much everybody. I think I will keep it simple and avoid the encryption and just rely on two fields matching in the database. I can keep the id as it is (sequential) but add for example a timestamp (with : removed). Then I can put both through the youtube style url generator... leaving me with a really short, unique and not easily guessed url. e.g

before the youtube url gen blah.com?id=10345&s=134025

after blah.com?id=H2s&s=tL2s

I log the unique views to each id anyway... so I will record unsucessful ones too and if a user hits 10 non matching url's in an hour then I can block his ip (I know a pr开发者_C百科oxy will evade this...but it makes it more difficult).

What do you think?

This may sound like a bit of an odd question... what I am looking to achieve is a way to generate an id to be used in a url which can not be guessed or calculated. What I mean is it is not id=1, id=2...

I was looking at a youtube style script here. Which has a padding option, but the padding is so obvious with urls like wTTTa and b666o. I considered MD5 ing the id... but thats hardly foolproof and makes for rather long urls.

The solution must be url based (can't be cookie or session based) and before you panic and think that I am trying to work out a way to secure my admin page - i am not, its part of a game I am developing.

I would probably tackle this by getting a timestamp, then MD5'ing the stamp, and then running a substr() to get the last 4-8 characters (depending on your preference). Compare the ID that is generated with those that have already been created (with a simple MySQL table) to guarantee the ID's uniqueness.

You may also want to salt the timestamp with the ID, or with an MD5 of the ID to further increase its uniqueness.

What if you md5 the id and a random string

$id = md5( $id . uniqid( mt_rand(), true ) );

That should make it unguessable.

Then check the database to see if that id exists.

$db = mysql_connect('localhost', 'username', 'password');
mysql_select_db( 'table' );
$id = 223;

do {

    $unique_id = substr( md5( $id . uniqid( mt_rand(), true ) ), 0, 8 );
    $q = mysql_query( sprintf( "select id from ids where id='%s'", intval($unique_id) ) );
    $c = mysql_num_rows( $q );

} while ( $c > 0 );

echo $unique_id;

That's the only way to guarantee uniqueness, while limiting the number of characters in the id

What about Generating One-Time URLs with PHP?

Just use random() from this class,

https://gallery.svn.sourceforge.net/svnroot/gallery/trunk/eval/gx/kohana/kohana/helpers/text.php

It generates random strings in different format. You can just use that as ID. I use this on my URL,

  random('distinct', 10)

If you want it to be unique, I think you're going to have to hash it in some way. You could concatenate a sequential id with some other identifier for the page (eg title).

what about using slugs?, we always replace IDs with slugs, so we have nicer URLs both for your users and search engines and also doesn't give away DB keys.

slugs are normalized and unique strings like the one on this very same question: "php-generate-non-linear-urls"

I'm not a PHP guy, but it sounds like you need a randomly generated GUID.

This could help but I'm not too sure of the complexity of the output.

Alternatively, you could try a random string generator if PHP has one, or you could roll your own using a random number generator. If you want to 100% guarantee its uniqueness, you would probably want a look-up table, or make it some expression of the current date/time in millis.

Take a look at create_guid() from SugarCRM.

It really create unique id's. It's in include/utils.php (a round line 1300)

You need to generate an "unguessable key". If you generate 20 (or even 12 or so) characters of base64 characters, you should be just fine for most systems.

Work through the basic math to make sure you are comfortable with it. Given 64^20 possible keys, how long will it take a hacker to stumble upon a valid one? Well, how many can they guess per second, and how many will you have? Many sites use this technique to provide URLs.

Some advice on using these:

• I would think about whether you can make these "temporary" in some way. Perhaps they only need to exist for a month, or a few months, and then need to be renewed by the creator?
• I would recommend that you keep your regular IDs in your database, and add this as a second key that you can access records by. Internally use sequencial IDs, since that will be convenient, and only use the unguessable keys when generating and processing URLs.

You CAN use something like the links above:

http://www.oreillynet.com/pub/a/php/2002/12/05/one_time_URLs.html

(In Ruby and Java, there are libraries for this. I'm not sure about PHP. See http://api.rubyonrails.org/classes/ActiveSupport/SecureRandom.html.)