URL parameters value encryption/decryption

i want to encrypt the url parameters value like

http://www.sitename.com/index.php?userid=12546

into

http://www.sitename.com/index.php?userid=SADFFHGFE

to prevent the robots to hack the userids which is auto incrementing into database and i am not sure about the security of base64_encode and base64_decode. Is there any way to do this??

Is there any way to do this??

Hashing user IDs is useless as it's easily reverted. Encrypting them is neither practical nor necessary - just assign a random user ID when you create a record, and never expose the auto increment ID.

You can create a hash of the id so you get something like:

http://www.sitename.com/index.php?userid=81dc9bdb52d04dc20036dbd8313ed055

In you db query you can do a select on the users table including a WHERE statement that also hashes the id column like:

WHERE MD5(id) = youridfromqueryparameters

A side note to this is that MD5 hashes do not necessarily have to be unique. So you cannot be sure that this select statement is always returning the row you wanted.

But of course it does not differ that much from just using the id. A better solution might be to generate a unique (not auto incremented) id for each user and use that in the url (encrypted or not).

You could store a randomly generated string, and store this in the same row as the user record, I use this to generate a random ID for quizzes on my site:

It generates a string using the character list, so they must be stored as case_sensitive.

$p_length is the number of characters to output, I use '6'

function generate_id($p_length)
{
    $char_list = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $char_list .= "abcdefghijklmnopqrstuvwxyz";
    $char_list .= "1234567890";
    $char_list_len = strlen($char_list);
    $random = "";

    for($i = 0; $i < $p_length; $i++)
    {
        $char = rand() % $char_list_len;
        $random .= $char_list[$char];
    }
    return $random;
}

$random_id = generate_id(6);