I don't want users try predicting my URL's which are like this..

www.example.org/article.php?F=12

where F is a code for featureID and that's the ID number of a feature article in my database. They get to this page but reading headlines on my index.php the link is like this <a href="article.php?F=<?php echo $row['FeatureID']; ?>">Title</a>

How can I either remove the requirement to have the $_GET in the URL?

Or

Can I do something like this?

$FeatureID = md5($row['FeatureID']);  //5 = e4da3b7fbbce2345d7772b0674a318d5 
$RandomNumber = md5($row['Code']); //9144 = d4bad256c73a6b25b86cc9c1a77255b1

where Random number is a 4 digit random number that is created when the row is created and unless the code and feature ID made no results are returned.

example.org/article.php?F=e4da3b7fbbce2345d7772b0674a318d5&ID=d4bad256c73a6b25b86cc9c1a77255b1

how safe is this?

My first concern would be search engines, and what would happen to your site rank if crawled links kept breaking whenever the engine returned to your site.

If that is not an issue in this case (i.e. search engines shouldn't be crawling it in the first place), my initial would be to make use of PHP sessions to keep track of what ID is associated with (pseudo-)randomly generated tokens. Then when you see something like $GET['id'] has a value of "sksk2939s843sdf", you would look for that key in $SESSION (or likely a sub-array within there), and if found, use its value as the actual page ID.

I didn't consider search engines, I guess I want them to crawl the pages as someone may search for content in my articles.
Is there any risk in having my Article ID's showing?
What is it wasn't articles but say a shopping category or product ID?

how does this forum work?

forumdisplay.php?10-Coding

there is no ? or =

There is a question mark, immediately following the question mark is the id of the row being displayed. whether it be a forum whose ID is 10 in the url you copied or if its 10386515 as seen in the url for this thread /showthread.php?10386515-URL-Prediction then its followed by a dash and the title of what's being displayed. My guess is the text isn't used at all but rather just the numbers up to the first non numeric character.

so it does

forumsdisplay?11-coding

takes you to the echo lounge, so there is no Somthing = anything it's just ?10

how does this work?

URL rewriting by the web server such as via Apache's mod_rewrite

NZ_Kiwis;11014369 wrote:

What if it wasn't articles but say a shopping category or product ID?

At least as much reason to keep consistent URLs as for articles. If someone does a web search for "SomeProduct", I'd definitey want the search engine to point them to my URL with that product.

Moreover, if a page for an article, product or anything eles for that matter, ever changes (permanentely), you should respond with
HTTP/1.1 301 Moved permanentley, followed by a location header. This way, you ensure that your stuff will still be found.

The only reason I can think of to do anything with resource URLs is when they give direct (as in non-scripted) access to resources on which you wish to impose some kind of limitation, such as a pay per view video. If you, after a user somehow has paid you with an online transaction, show them a page with a video element, whose source is http://example.com/video.mp4, it won't take much time before other people will request the video without going through your payment page.

On the other hand, you still don't have to muck around with changing URLs, but what you do is provide a source of http://example.com/streamvideo.php?file=video.mp4. That script is told which video to send to the user, and before doing so it can check that the user is allowed to see it. You just make certain that "video.mp4" is not found in the web root on that server. The actual file doesn't have to be "video.mp4", it could be anything. Also, it doesn't even have to reside on the same domain. The script just needs a way to look up the correct URL or file path to it, fetch the data and relay it to the user.

NogDog;11014385 wrote:

URL rewriting by the web server such as via Apache's mod_rewrite

While that is certainly one way to do it, I don't believe that's how this forum operates.

@: It's not /forumsdisplay?11-coding, it's /forumdisplay.php?10-coding. And as others have said, the .php scripts don't care what the text is after the integer ID value... example: http://board.phpbuilder.com/forumdisplay.php?10-This-is-NOT-the-Coding-forum still brings up the Coding forum.

And no, there is no equal sign. But who ever said there had to be one in the fist place?

sneakyimp;11014425 wrote:

you just have to crawl the site to find them.

You probably don't even need to do that; instead, you could just take advantage of someone who has already crawled your entire site. Google comes to mind.

For example, go to Google search and type in this as your search query:

site:phpbuilder.com/board/attachment

Your search results should be nothing but files that users have attached to posts throughout this forum.

EDIT: To clarify my point... don't try to use URL obfuscation (or non-predictability) as a form of security... because it isn't one. To me, that's like placing several large rocks near the front door of your house and hiding your house key underneath one of them, hoping that thieves won't manage to look under the correct rock.

bradgrafelman;11014403 wrote:

While that is certainly one way to do it, I don't believe that's how this forum operates.

@: It's not /forumsdisplay?11-coding, it's /forumdisplay.php?10-coding. And as others have said, the .php scripts don't care what the text is after the integer ID value... example: http://board.phpbuilder.com/forumdisplay.php?10-This-is-NOT-the-Coding-forum still brings up the Coding forum.

And no, there is no equal sign. But who ever said there had to be one in the fist place?

okay so one does not need to do page.php?ID=1

So you could do?
page.php?32
page.php?32-SomeOtherText

would both of these work? how do I get the the value of 32? normally I would do $_GET['ID'] also what does the text do?

NZ_Kiwis;11014437 wrote:

okay so one does not need to do page.php?ID=1

So you could do?
page.php?32
page.php?32-SomeOtherText

would both of these work? how do I get the the value of 32? normally I would do $_GET['ID'] also what does the text do?

Nogdog has already answered the HOW question:

NogDog;11014385 wrote:

URL rewriting by the web server such as via Apache's mod_rewrite

My guess is that they have a mod_rewrite rule in either an .htaccess file or in the apache conf file which takes the query string, extracts all the numbers up to the dash (-) and then ignores everything else.

But you don't need apache to do that, you can write some PHP that parses the query string. Put this in page.php:

<?php
echo "Your query string is " . $_SERVER["QUERY_STRING"];
die()
?>

sneakyimp;11014449 wrote:

Nogdog has already answered the HOW question

Again, I don't think he did. I doubt that any URL rewriting is going on - simply because it's unnecessary.

It's unnecessary since, as you've pointed out, a PHP script is perfectly capable of examining the raw query string before the core PHP engine parses it into separate indexes inside $_GET. I don't have the vBulletin software, so I can't say for certain that this is what's happening... but I can say that I would be surprised if it isn't.

NZ_Kiwis wrote:

how do I get the the value of 32? normally I would do $GET['ID'] also what does the text do?

Here's an idea: try something. For example, write up a page [font=monospace]test.php[/font] containing

<?php
	var_dump($_GET);
?>

Then hit [font=monospace]http://localhost/test.php?32-SomeOtherText[/font].
Then think about the result.