Encrypting URL

I want a secure url encryption and decryption technqiue.

SHould i write my own algorithm?

If you want it to be secure, you had better know a fair bit about encryption/decryption techniques before writing your own algorithm!

I wonder what algorithms people from this forum can come up with - it’d be worth a look.

However, there are two possibilities. The first is to make an algorithm which is reversible - so if you encrypt “abc” and get “auhr931r”, then “auhr931r” must be decrypted to only “abc”.

The second possibility is to store data in a database, and give that row a unique random code. The decrypt function simply looks up the value in a table using that code.

I can definately work on the first option but second option for no reason will make the db grow.

True, but it saves on performance.

If you want to encrypt, for example, a few kilobytes of text, it could kill your server depending on your encryption technique. Many techniques are very efficient with small strings, but get exponentially harder on processing as the string gets larger.

With a database solution, that string is simply stored and referenced - the reference is then used to retrieve it. A little like how youtube URLs work - a title named “Fisherman’s Blues The Waterboys” turns into “_VKouBHarIo”, and “_VKouBHarIo” is used to retrieve “Fisherman’s Blues The Waterboys” again. Technically, it’s an encryption and decryption algorithm, even though the initial string isn’t used to determine the encryption, rather a unique ID is generated.

This way, there is ZERO chance of collisions. Any ‘secure’ algorithm to encrypt and decrypt would be rather complex (otherwise decryption would be easy), and would therefore introduce the possibility of an encryption collision.

ok how will i encrypt a url like this home.php?action=managesystemusers&trigger=edit&RecordID=1 - i will store this entirely into db and get generate a random code and then get back home.php?action=managesystemusers&trigger=edit&RecordID=1 with the help of that random code?

Each time a new url is requested in the application - a new entry in the db should be done?

Well, yeah. However, unless you have millions of pages, it shouldn’t affect your database very badly.

Though I do wonder why you don’t use a .htaccess RewriteRule:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^/?([^/]+)/([^/]+)/([^/]+)/?$ home.php?action=$1&trigger=$2&RecordID=$2

Then the following would work:
/managesystemusers/edit/1

Though I’d have personally used users model to do that:
/users/edit/1

by this they can simply change the ID and get another results.

I dont want the user to come to know about anything about my page names - actions - ids or anything

Search engines are going to hate your site :stuck_out_tongue:

Is there a specific reason you don’t want the user to know the URL? It sounds a little like paranoia if you ask me - I mean, if you have code in place to make sure a user can’t edit something they’re not supposed to - which I sincerely hope you do - you shouldn’t have any problems. Otherwise, put said security in place. Otherwise you’re leaving your site completely open, and url encryption won’t stop a determined user.

But if you’re insistent on making your website unusable, there are many encrypt/decrypt functions available online. Of course, by being available online, you’ll not be the only person aware of how they work.

Its an intranet based based work flow management application

Then you should have no problem allowing the employees to change the url?

Why do you want to do this? It’s called an URL for a reason - it Locates a Resource. By scrambling that, you’re going to cause yourself more problem than its worth.

What you have to ask yourself is this: Is the ‘problem’ actually a problem?