Posted by Dikkie Dik on 10/01/90 12:00

> How does your suggestion on hashing ids work?

I keep a list of known hashes in the session, say $_SESSION['known_hashes'].

If I have an ID that the user has to choose from, I pass the hash of
that ID and store it along with the ID in that list. So if a user can
choose from a set of bank accounts to work on, the HTML shows something
like:
<select ...>
<option value="sKbSKHgrsjbrvsrb2497wkj">First account</option>
...
</select>

When I process the result, I look up the hash in
$_SESSION['known_hashes'] to find what ID belongs to it.

This has e a few advantages:
- No unnecessary database info is ever sent to the client,
- Only hashes are known that belong to that user, so even a brute force
guesswork will only yield the possibilities that the user would have anyway.

My hashing system hashes per table, so you cannot abuse a userID as an
accountID, for example.

> Like this: profilepage.php?uid=7sy6fsnyfm984oym3oyowiuyrowr432
> and server side: SELECT * FROM users WHERE md5(users.user_id) =
> $uid;
>
> Or more like this: SELECT * FROM users WHERE users.uidhash = $uid;


No. More like:

if(isset($_SESSION['known_hashes'][$accountParameter])):
$query = 'SELECT * FROM users WHERE user_id=' .
FromHash($accountParameter);
endif;

Regards

[Back to original message]