Each user object in my database has an incremental ID (1, 2, 3, ...). The URL to view a user's profile contains the ID of the user object; e.g. http://www.example.com/users/1. This way everyone can see how many users there are on the website, how fast the userbase is growing etc. I don't want to give that information away.
I would like to convert the incremental ID to a fixed length string in Base58 format, so the URL would look like http://www.example.com/users/2WNrx2jq184 Also, I need the reverse function that converts the string back to the original ID. The reverse function should not be easy to reverse engineer.
The best Python code I found for this purpose is https://github.com/JordanReiter/django-id-obfuscator. It is very good, but in some cases it adds a
If you want to properly do this, take your user ID, pad it with leading zeros, then encrypt it with something like AES and encode the result with base58. To get the ID back, just decode, decrypt and
int() the result.
So for encryption:
>>> from Crypto.Cipher import AES >>> import base64 >>> obj = AES.new('yoursecretkeyABC') >>> x = base64.encodestring(obj.encrypt("%016d"%1)) >>> x 'tXDxMg1YGb1i0V29yCCBWg==\n'
>>> int(obj.decrypt(base64.decodestring(x))) 1
If you can live with weak crypto, you could also simply xor the padded ID with a key:
>>> key = [33, 53, 2, 42] >>> id = "%04d" % 1 >>> x = ''.join([chr(a^ord(b)) for a, b in zip(key, id)]) >>> x '\x11\x052\x1b' >>> int(''.join([chr(a^ord(b)) for a, b in zip(key, x)])) 1
But this is much less secure since you should never use the same OTP for multiple messages. Also make sure the key is the same length as your padded ID.