I am sending a id by url to the index.php page that loads certain data respectively of the id that it obtained through a session variable, the detail is that if the user 1 with id 1 changes the id 1 to id 2 in the url will consult data that does not correspond, so I want to encrypt a bit the id that is shown in the url.
function(){
var id_e=document.getElementById('input').value;
window.location.href='http://localhost/index.php?id_e='+id_e;
return;
}
From what I understand, you want to prevent a user from manipulating the url (whose parameter is a numeric id) can see data from another user.
If the id_e is generated in the backend
In the code that you showed us it is not clear where the id_e parameter comes from, but assuming that it is generated in the backend, and it is passed to the browser at run time (right with PHP or by ajax), then there is two possible flows.
In a flow, the most traditional, you have a table of tokens, in which there is the field id_e and the field hash . Instead of directly passing the id_e to the browser, you pass the hash to it.
function(){
var hash=document.getElementById('input').value;
window.location.href='http://localhost/index.php?hash='+hash;
return;
}
The user will eventually visit a url that instead of a numeric id has a hash, and when you receive the request to index.php , you perform a search on your tokens table to see what id_e corresponds to the hash that you they sent.
<?php
$hash = $_GET['hash'];
$id_e = buscar_en_tabla_de_tokens($hash);
Hash generation can be done in many ways. In the background it is a random alphanumeric string that could be composed, for example, of the result of hashear the id:
$hash = password_hash($id_e, PASSWORD_DEFAULT);
The important thing is that only the server side knows with what algorithm you are encrypting and what happens to that algorithm.
There is a second way that are the json Web Tokens , which does not require using a table of tokens, but occurs between the browser and the backend code. However, that way requires that you send a request with headers and payload, which you will not be able to do using window.location.href
It means that in the best of cases, you will have to create your table of tokens and add the logic to consult that table to know the id_e
If the id_e is generated in the browser
If the id_e is generated entirely on the client's side, any encryption that you put in it will be able to be reversed simply by looking at the js code of the frontend. In that case there is not much to do except darken the ID a bit, for example using base64.
function(){
var id_e=document.getElementById('input').value;
id_e = window.btoa(id_e);
window.location.href='http://localhost/index.php?id_e='+id_e;
return;
}
and then in index.php
<?php
$id_e = base64decode($_GET['id']);
But I repeat, that is not security but simply darkening. Anyone who sees your code js will know how to generate the id_e of other numeric values.