securing url id's

[eforbes]

I am really concerned about showing url id's to view details for a product that i am setting up.  Is there a way in US to hide or make it more secure?

This is what i have:  <a href="product_details.php?transac_id=<?php echo $product['id']?>">Product Name</a>

[Brandin]

You can POST to the details page but your tokens will break if the user tries to refresh. That would be the only way, and even then you'd have to pass the ID variable back through the form which would be in a public way.

[jtullett]

I am really concerned about showing url id's to view details for a product that i am setting up.  Is there a way in US to hide or make it more secure?

This is what i have:  

Code:

<a href="product_details.php?transac_id=<?php echo $product['id']?>">Product Name</a>

You could maintain a session table perhaps? Generate a nonce which maps to the product ID, store it in the database or the php session (edit: or both, probably; you want the nonce in $_SESSION or a cookie, and the mapping in a database table). Your link would then be

Code:

<a href="product_details.php?transac_id=<?php echo $nonce?>">Product Name</a>

Your product_details.php page can then look up the nonce in the session or db to retrieve the product ID. Just generate hashes or random strings for the nonce, and there'll be no way to reverse engineer or expose the product IDs. Think about likely hash collisions if you're doing it yourself.
I'm at a bit of a loss as to _why_ you'd want to do that, but hey, it's probably doable

[Brandin]

If you are going to hide the product ID your best solution in my opinion would be the one just suggested. However I also agree I don't see any reason or security risk in exposing the Product ID.