Encrypt IDs in URL variables

I am developing an HTTP开发者_JAVA技巧 server application (in PHP, it so happens). I am concerned about table IDs appearing in URLs. Is it possible to encrypt URL variables and values to protect my application?

oh ok, so for sensitive information best to use sessions then, are table Ids etc safe to throw in the GET var?

Yes, sensitive information must not leave your server in the first place. Use sessions.

As for "are table ids safe in the URL": I don't know, is there anything bad a user could do knowing a table id? If so, you need to fix that. Usually you need to pass some kind of id around though, whether that's the "native table id" or some other random id you dream up usually doesn't matter. There's nothing inherently insecure about showing the id of a record in the URL, that by itself means absolutely nothing. It's how your app uses this id that may or may not open up security holes.
Additionally think about whether a user can easily guess other ids he's not supposed to know and whether that means anything bad for your security.

Security isn't a one-off thing, you need to think about it in every single line of code you write.

Sounds like you want to pass sensitive information as a GET param.

Don't do that - use $_SESSION if you can.

However, if you want your params encoded (i.e. => +) use urlencode().

$a = 'how are you?';

echo urlencode($a); // how+are+you%3F

You can encrypt what you pass before you transmit, or you can run the entire communication over an encrypted channel (https or ssh for instance).

Your GET variables are called whatever you choose to call them, and assigned whatever values you choose to give them. So, yes: they can certainly be encrypted or, if you'd rather, simply obscured. If you're planning to encrypt variables, then PHP has quite a few options available.

For the above, I'd recommend using something like urlencode.

In general I'd suggest using POST instead of GET, assuming you're getting your variables from a form element. On the other hand it might be even wiser to use session variables.

Maybe this article can give you more ideas...

http://www.stumbleupon.com/su/1nZ6bS/:1PcFQMI0:6oJD.Hd1/www.ibm.com/developerworks/library/os-php-encrypt/index.html/