在url中隐藏真正的数据库对象ID [英] Hiding true database object ID in url's

问题描述

出于安全目的，在URL中隐藏真正的数据库对象ID有用的解决方案是什么？我发现其中一个解决方案是：

1）使用

人们应该做些什么改变

解释

通常， >短的随机浏览网址。这不会让您有足够的空间来加密然后进行身份验证您希望混淆的数据库记录ID。这样做需要最少的URL长度为32字节（对于HMAC-SHA256），在base64编码时为44个字符。

一个更简单的策略是生成一个随机字符串（请参阅 random_compat ，了解 random_bytes（）和 random_int（）来生成这些字符串）并引用该列。 href =https://carnage.github.io/2015/08/cryptanalysis-of-hashids =nofollow noreferrer> hashids破解通过简单的密码分析。他们的结论是：

我描述的攻击明显优于暴力攻击，因此从加密的角度来看，算法被考虑被打破，回收盐很容易;使攻击者可以在任一方向运行编码，并使属性2无效，以获得理想的散列函数。

不要依赖就可以了。

What would be useful solutions for hiding true database object ID in URL for security purposes? I found that one of the solutions would be:

1) Using hashids open source project

2) Using something like same old md5 on creation of the object to generate hash and store it in database, then use it in url's and querying by them, but the drawback is that querying by auto-incremented primary keys (IDs) is faster than hashes. So I believe the possibility to hash/unhash would be better?

Also as I'm on Symfony, are there maybe bundles that I could not find or built in functionalities that would help?

Please tell me what you found useful based on your experiences.

解决方案

This question has been asked a lot, with different word choice (which makes it difficult to say, "Just search for it!"). This fact prompted a blog post titled, The Comprehensive Guide to URL Parameter Encryption in PHP .

What People Want To Do Here

What People Should Do Instead

Explanation

Typically, people want short random-looking URLs. This doesn't allow you much room to encrypt then authenticate the database record ID you wish to obfuscate. Doing so would require a minimum URL length of 32 bytes (for HMAC-SHA256), which is 44 characters when encoded in base64.

A simpler strategy is to generate a random string (see random_compat for a PHP5 implementation of random_bytes() and random_int() for generating these strings) and reference that column instead.

Also, hashids are broken by simple cryptanalysis. Their conclusion states:

The attack I have described is significantly better than a brute force attack, so from a cryptographic stand point the algorithm is considered to be broken, it is quite easy to recover the salt; making it possible for an attacker to run the encoding in either direction and invalidates property 2 for an ideal hash function.

Don't rely on it.

这篇关于在url中隐藏真正的数据库对象ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！