Previously, the ID was directly used as a get parameter in the front-end of a variety of transmission, such as
a.com?uid=16
Such address, if the user found this rule, as long as the 16 changed to 17, 18, 19 and so on, you can view the data of individual users, so want to ask you how to solve?
Demand does not mean that users are not allowed to view other users ' data, but who can look at it. So why is there such a demand? This is like the number, as long as the number can be searched for that person, no number, it is difficult to find the person through the pool, luck and so on. Youku, potatoes, B station, all video sites do not directly display the video ID to the address bar, are encrypted. (If the video site does not have a sequential ID in the database, then I didn't say ...) In fact, I did not see the database of the above site)
Requirements are, plus decryption speed, break solve. (former preferred)
Reply content:
has been directly to the ID as a get parameter in the front-end various transmission, such as a.com?uid=16
the address, if the user found that the law, as long as the 16 change to 17, 18, 19 and so on, you can view the data of individual users, so want to ask you how to solve?
Demand does not mean that users are not allowed to view other users ' data, but who can look at it. So why is there such a demand? This is like the number, as long as the number can be searched for that person, no number, it is difficult to find the person through the pool, luck and so on. Youku, potatoes, B station, all video sites do not directly display the video ID to the address bar, are encrypted. (If the video site does not have a sequential ID in the database, then I didn't say ...) In fact, I did not see the database of the above site)
Requirements are, plus decryption speed, break solve. (former preferred)
So, if your goal is to prevent users from viewing other users ' data , then your idea is a bit biased.
What you should do is to do authentication on the backend instead of encrypting the UID. For example, if the user is now logged in, uid=16
then when he requests a.com?uid=17
(or other pages that are not 16), the backend should be able to determine that he has no permissions and give the corresponding return (such as the output blank page, or the direct throw 403, and so on).
As for how to realize authentication, it is simple to record the UID of the logged-in user $_SESSION['uid']
, and to determine whether it is true each time the request is made $_GET['uid'] == $_SESSION['uid']
.
2016-10-26 21:51 add: <<<
The title of the master updated the topic said demand is who can see the user profile, just want to put the user's uid
hidden up. In this case, my practice is to add a field to the user table openid
and add it to the index, when the user registration can pass uid
,, and so on after the UNIX 时间戳
若干长度的随机字符串
combination md5()
of a class of functions to generate a unique openid
, public information in the case of the openid
to retrieve the data.
<<<>< p=""><>
If you insist on the use of encryption, you can search online, there are a lot of ready-made solutions, I use PHP加解密
keywords in Google search, the first page almost all of what you want, such as the following code from the search results in the first article, you can refer to (I did not do the test).
Source: Http://jerry17768java.blogspo ...
Hash Some+random Some
I think you should join the function of authority judgment, such as identifying the user according to the cookie.
Add/decrypt can be used with OpenSSL AES: