I needed a simple way to obfuscate auto_increment primary keys in databases when they are visible to users in URIs or API calls. The users should not be able to increment the id in the URL and see the next data record in the database table.
My solution (uses modified base64 functions by Tom):
function base64url_encode($plainText) {
$base64 = base64_encode($plainText);
$base64url = strtr($base64, '+/=', '-_,');
return $base64url;
}
function base64url_decode($plainText) {
$base64url = strtr($plainText, '-_,', '+/=');
$base64 = base64_decode($base64url);
return $base64;
}
function encryptId($int, $class='') {
return base64url_encode($int.'-'.substr(sha1($class.$int.encryptionKey), 0, 6));
}
function decryptId($string, $class='') {
$parts = explode('-', base64url_decode($string));
if (count($parts) != 2) {
return 0;
}
$int = $parts[0];
return substr(sha1($class.$int.encryptionKey), 0, 6) === $parts[1]
? (int)$int
: 0;
}
- The optional 2nd argument is the class name, so two equal ids of different tables will not result in two equal obfuscated ids.
- encryptionKey is a global secret key for encryption.
- decryptId() checks if the second part of the base64 encoded string is correct.
