I've a simple friend request system, where user clicks button which contains user_id of target user, this id and is passed to the function which creates request row in DB.
I don't want user to be able to request any user_id as a friend, just the ones I suggest.
So I need a way to mask user_id so malicious user doesn't start plugging in numbers and sending out requests with automatic tool.
I thought of a simple multiplication system. So I take user_id * really_long_number and than inside request function, I divide by that same number. Malicious user doesn't know the value of this really_long_number and thus doesn't know user_id.
so if:
user_id = 1
really_long_number = 12345678
key = 12345678
But I think this strategy is not the best, it can be really easily deduced by looking at enough numbers generated by system.
What do you suggest?