Home  >  Article  >  Backend Development  >  What are the fastest encryption and decryption methods in PHP to encrypt uid and other IDs?

What are the fastest encryption and decryption methods in PHP to encrypt uid and other IDs?

WBOY
WBOYOriginal
2016-12-01 01:27:432074browse

In the past, the id has always been directly used as a get parameter in the front-end, such as a.com?uid=16. If the user discovers this pattern, he only needs to change 16 to 17, 18, 19, etc. , you can view the data of each user, so I would like to ask how you solved it?


The requirement does not mean that users are not allowed to view other users’ information, but that anyone can view it. So why is there still such a need? This is just like WeChat's WeChat ID. As long as you have a WeChat ID, you can search for that person. Without a WeChat ID, it is difficult to find that person through credential stuffing, luck, etc. Youku, Tudou, Bilibili, all video websites do not directly display the video ID on the address bar, and they are all encrypted. (If the video website does not use continuous IDs in the database, then I didn’t say it... In fact, I have never seen the database of the above website)


The requirement is that encryption and decryption should be fast and difficult to crack. (The former takes priority)

Reply content:

In the past, the id has always been directly used as a get parameter in the front-end, such as a.com?uid=16. If the user discovers this pattern, he only needs to change 16 to 17, 18, 19, etc. , you can view the data of each user, so I would like to ask how you solved it?


The requirement does not mean that users are not allowed to view other users’ information, but that anyone can view it. So why is there still such a need? This is just like WeChat's WeChat ID. As long as you have a WeChat ID, you can search for that person. Without a WeChat ID, it is difficult to find that person through credential stuffing, luck, etc. Youku, Tudou, Bilibili, all video websites do not directly display the video ID on the address bar, and they are all encrypted. (If the video website does not use continuous IDs in the database, then I didn’t say it... In fact, I have never seen the database of the above website)


The requirement is that encryption and decryption should be fast and difficult to crack. (The former takes priority)

It’s like this, if your purpose is to prevent users from viewing other users’ data, then your idea is a bit biased.

What you should do is to authenticate on the backend instead of encrypting the uid. For example, if the currently logged-in user is uid=16, then when he requests a.com?uid=17 (or other non-16 pages), the backend should be able to determine that he does not have permission and Give corresponding returns (such as outputting a blank page, or directly throwing 403, etc.).
As for how to implement authentication, it is simply to record the uid of the logged-in user in $_SESSION['uid'], and judge $_GET['uid'] == $_SESSION[ every time a request is made. 'uid'] is true.


2016-10-26 21:51 Supplement: <<<
The question owner updated the question and said that everyone can see the user information, but he just wants to hide the user's uid. When encountering this situation, my approach is to add a field openid to the user table and add it to the index. When the user registers, he can pass uid, UNIX timestamp, random string of several lengths, etc. After combination, a unique openid is generated through a function such as md5(). When the information is disclosed to the outside world, the data is retrieved through openid.
<<


If you insist on using encryption, you can search the Internet yourself. There are already many ready-made and mature solutions. I use PHP encryption and decryption to search on Google for keywords. Almost all of them on the first page are what you want. For example, the following code is excerpted from the first item in the search results, you can refer to it (I have not tested it).

<code class="PHP"><?php
    
    // 設定金鑰, 負責對資料進行加解密 
    $key = "ac181c517bdf24ce053556bb280a2dcb";

    /**
     * 加密函數
     */
 function encrypt($str)
 {
  $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
  $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);  
  return base64_encode(trim(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, self::$key, $str, MCRYPT_MODE_ECB, $iv)));  
 }

      /**
     * 解密函數
     */
 function decrypt($str)
 {
  $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
  $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
  return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, self::$key, base64_decode($str), MCRYPT_MODE_ECB, $iv));  
 } 
?>
</p>
<p>Source: http://jerry17768java.blogspo...</p>

                            
            <p class="answer fmt" data-id="1020000007289721">
                                    </p>
<p>hash some+random some</p>
                            
            <p class="answer fmt" data-id="1020000007289784">
                                    
</p>
<p>I think you should add the function of permission judgment, such as identifying users based on cookies. <br>Encryption/decryption can use OpenSSL AES:</p>
<pre class="brush:php;toolbar:false"><code><?php
header('Content-Type: text/plain;charset=utf-8');
$data = 'phpbest';
$key = 'oScGU3fj8m/tDCyvsbEhwI91M1FcwvQqWuFpPoDHlFk='; //echo base64_encode(openssl_random_pseudo_bytes(32));
$iv = 'w2wJCnctEG09danPPI7SxQ=='; //echo base64_encode(openssl_random_pseudo_bytes(16));
echo '内容: '.$data."\n";

$encrypted = openssl_encrypt($data, 'aes-256-cbc', base64_decode($key), OPENSSL_RAW_DATA, base64_decode($iv));
echo '加密: '.base64_encode($encrypted)."\n";

$encrypted = base64_decode('To3QFfvGJNm84KbKG1PLzA==');
$decrypted = openssl_decrypt($encrypted, 'aes-256-cbc', base64_decode($key), OPENSSL_RAW_DATA, base64_decode($iv));
echo '解密: '.$decrypted."\n";</code>
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn