How to make a secure web links with PHP?

I am developing an web application with raw PHP for a school. When an user visits a student's profile page the web link on the address bar shows like this- http://localhost/utc/studentprofile.php?studentid=11100103. But I want to appear it like this- http://localhost/utc/studentprofile.php?studentid=.I1vlXKbsAAljiXXX4ylPpWER1D8re93AA--

I can do it using base64_encode but if I do when the user tries to view the student's profile, it doesn't show any information.

Would anyone please kindly help me on how to do this?

Thanks in开发者_如何学Go Advance

base64 is not encryption, it's an encoding method. It'd be about as secure as translating a password into German from French, on the presumption that no German people speak French.

To properly secure this, you'd need to use the mcrypt library to do proper encryption. Since the encrypted data isn't being shared with others, the encryption/decryption key used can be hardcoded into your script.

Take the binary garbage produced by encrypting your ID value, and then base64 encode that so it can be safely placed into the URL. Then pass it through base64_decode and mcrypt again when pulling it out of the URL later on.

You added more information in a comment on the question:

I have a page where it shows the names of all students in a list, if I click on any of them it takes me to the profile page of that particular student ,for that I have coded like this-"> When the profile page of that student shows up, on the address bar I find the link like this- http://localhost/utc/studentprofile.php?studentid=11100103 I want the link appears to be like http://localhost/utc/studentprofile.php?studentid=Adz2457cxfgga&&sas instead of showing the exact students ids.

Then Base64 encoding is not the way to do that, because it does little if anything to protect the student's ID.

If you want to avoid revealing the student's ID, there's no more secure way than not revealing it. And you have the opportunity to give the student profile pages more readable URLs as well:

Create a trivial mapping database table on the server-side. Give each student a unique "handle" (mine might be "tjcrowder", for instance, unless the cattle feed merchant who also has my name had gone to the school previously, in which case I might be "tjcrowder2"). Base the handle on information you're already revealing on the profile page (I assume these pages list the student's name, for instance).

Then your link becomes

http://localhost/utc/studentprofile.php?studentid=tjcrowder

or even better

http://localhost/utc/studentprofile.php?tjcrowder

or even better, throw a URL-rewrite at it so you get

http://localhost/utc/students/tjcrowder

In studentprofile.php, do the DB query to take the handle and look up the student ID, and then retrieve the student's profile information.

Nice readable URLs, nothing revealing the student ID.

You need to call base64_decode on studentid before using it.

http://php.net/manual/en/function.base64-decode.php

However this still isn't secure.