Encryption and Best Practices

anakadote

I was wondering if anyone knew what the likelihood is that two different integers could be encoded using Mcrypt (or any encryption scheme for that matter) but the resulting encrypted value would be the same? I mean even passing a 40-character sha1 encrypted hash stands a chance that two different strings might have the same the encrypted hash value, right?

I ask because I was considering alternatives to passing a database primary key in a $_get request in order to target one row. I noticed that YouTube uses some kind of encryption on their video IDs (for example nAMb7xZGLMM).

So, I guess I have two questions: the first is in my first paragraph and the second is what is the best-practice for passing IDs through $_get request?

Thanks!

NogDog

Well, the first question is: does it really matter whether or not the ID is encrypted? Unless the ID in and of itself actually provides any information as to the record it points to, what does it matter whether or not it is encrypted. In other words, what is the advantage of using [noparse]"http://example.com/index.php?id=b193fah523x8" versus "http://example.com/index.php?id=12345" [/noparse]?

In any case, if you do have a need to encrypt it, then by definition any encryption scheme will produce a unique string for each unique source. Hashing the string, on the other hand, could possibly have collisions for different source values, though I'd be surprised if any two integers that were not extremely large integers would have the same hash.

And of course, if you need to reverse the process to get back to the original value in your script, then you have to use encryption, as hashing is "one-way".