encrypting $_GET parameters

[mufka]

I don't know exactly what to call it, but I'd like to find a way to encrypt/mask the information that is passed to PHP via GET. For example, I'd normally need

http://www.domain.com/page.php?id=1234.

I'd like a way to mask that so visitors can't just browse through the records by changing the numbers.

I could use md5 going the other way to compare input text to a stored value, but can I do it in the opposite direction?

 

[jpadie]

use nonces.

but beware making it difficult to pages will reduce your SEO efficacy.

if you must use md5 then you can store a hash of encoded to unencoded values in a table (which is workable until you have thousands and thousands of static pages).

you could also use base64encode/decode. But all of these are encodings, not encryptions.

I would rethink the approach and the requirement.

 

[Noway2]

I would rethink the approach and the requirement.

I agree. If you are concerned about encrypting data, using SSL/TLS via and https server might be a better approach.

 

[ingresman]

Or you could md5() (with a nonce) the entire query string and then append that to the query string. So when it gets back to the server recaluclate the md5() and if it differs from the one also in the query string its been tampered with so you can reject the page. This has the benefit that you don't have to store any values in state/session on the server.
Of couse you could put all the query string information in a hidden field and only ever use POST so the user never sees the values. This won't stop someone altering the page or generating a dummy page to upset your back end though.
So yes have a rethink and bear in mind that encryption (e.g. SSL) offers confidentiaity and digest/hash e.g. md5() offers tamper detection -> two very different things.
hope this helps !