How to generate Unique Order Id (just to show touser) with actual Order Id?

1. Create your secret key (any string) and save in your config files (or DB config).
2. Create unique ID: $newId = hash_hmac('sha1', $orderId, $secret_key).'-'.$orderId;. So, your order pages will looks like http://example.com/order/show/123456...absdef-123.
3. You can quickly get original order ID and check it:

 list($hash, $original) = explode($newId, '-', 2);
 if (hash_hmac('sha1', $original, $secret_key).'-'.$original === $hash)
 {
    // its a correct ID
 }
 else
 {
    // wrong hash, ignore it!
 }

This way original ID is public, but user cant replace it in site address because of unknown hashed string (first part of unique ID).

If your requirements are:

• It must be reversible (i.e. given just the "random" ID, you can find the original order_id)
• No extra columns
• You don't want to show the original/internal order_id to the user at all

then I would recommend some kind of two-way encryption. Hashing won't work as you can't find the original value from a hash.

I'm also adding that it should be human-friendly e.g. someone can call it out over the phone to you

I'm going to use a very simple two way encryption class located here, which was written by Tony Marston.

We want the solution to be human-friendly so let's remove some of the scramble chars. I've left only uppercase characters, numbers and the space and dash symbols. All of these can be easily communicated using the standard phonetic alphabet, and the forced use of uppercase removes any confusion as to what a character is.

These are the scramble strings I used (I used this online word scrambler rather than trying to scramble the string myself):

    $this->scramble1 = '0123456789-ABCDEFGHIJKLMNOPQRSTUVWXYZ ';
    $this->scramble2 = 'UKAH652LMOQ FBDIEG03JT17N4C89XPV-WRSYZ';

So the code to create our human-friendly order id is:

<?php

include 'encryption_class.php';

$crypt = new encryption_class();

$key = "A-COMPLETELY-RANDOM-KEY-THAT-I-HAVE-USED";
// Min length of 8 for encrypted string
$min_length = 8;

$order_id = 123456789;

print "Original: " . $order_id . PHP_EOL;

$encrypt_result = $crypt->encrypt($key, $order_id, $min_length); 

print "Encrypted: " . $encrypt_result . PHP_EOL;

// DECRYPT
$decrypt_result = $crypt->decrypt($key, $encrypt_result);

print "Decrypted: " . $decrypt_result . PHP_EOL;

?>

(You need to download and save the *encryption_class* file locally, and include it).

I ran that code from the command line and received the following output:

Original: 123456789
Encrypted: 2UD5UIK9S
Decrypted: 123456789

Now we have our short, human-friendly order_id, which can be used in a URL such as http://myapp.example.com/order/view/2UD5UIK9S, and you never need to display or communicate the internal order_id to your users.

Notes:

The encrypted code will be unique once your order_id is unique (since it's a PK it will be)

This should not be used as a password encryption/decryption routine - don't store passwords, store hashes.

Make sure your secret key is random, complex and contains only the characters in your $scramble variables.

It obfuscates the order_id only.

Edit:

Although padding the input string (order_id) generates a certain amount of ramdomness, you could combine this with @biakaveron's answer to create a URL like http://myapp.example.com/order/view/5cc46aea44e898c3b4e1303eb18d8161302cd367/2UD5UIK9S

First of all, you should keep your order_id as a physical identifier in your database : that field is an integer, it works well (your code is designed to use that -- and integers give better performances than string keys).

But you can add another field that would act as an identifier for the user :

• A varchar(something) or char(something) field, that would get a better display and would be harder to guess,
• It would be displayed to the user,
• There would be a UNIQUE index on it,
• But it would have no technical meaning for your code.

A GUID might be an idea -- but I have the fealing it might be a bit too long...

What about something based on the first letter of the user's name, the date, and some random number ?
It would be hard to guess, and still have a bit of meaning for the user...

Of course, you will not be able to calculate the order_id from that string identifier -- but if that one is unique, a simple query and you'll get the order_id back :

select order_id from your_table where nice_looking_id = '...';