RotUrl: encode/obfuscate URLs for use in other URLs

rotUrl.php

<?php

/**
 * Rot35 for URLs. To avoid increasing size during urlencode(), commonly encoded
 * chars are mapped to more rarely used chars (end of the uppercase alpha).
 *
 * @param string $url
 * @return string
 */
function rotUrl($url) {
    return strtr($url,
        './-:?=&%# ZQXJKVWPY abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHILMNORSTU',
        'ZQXJKVWPY ./-:?=&%# 123456789ABCDEFGHILMNORSTUabcdefghijklmnopqrstuvwxyz');
}

It breaks the url if source url contains any of ZQXJKVWPY.

If you're using urlencode() correctly it does not.

Then how about

if (! function_exists('rotUrl')) {
    function rotUrl($url) {
        return urlencode(strtr($url,
            './-:?=&%# ZQXJKVWPY abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHILMNORSTU',
            'ZQXJKVWPY ./-:?=&%# 123456789ABCDEFGHILMNORSTUabcdefghijklmnopqrstuvwxyz'));
    }
}
if (! function_exists('unrotUrl')) {
    function unrotUrl($url) {
        return strtr(urldecode($url),
            './-:?=&%# ZQXJKVWPY abcdefghijklmnopqrstuvwxyz123456789ABCDEFGHILMNORSTU',
            'ZQXJKVWPY ./-:?=&%# 123456789ABCDEFGHILMNORSTUabcdefghijklmnopqrstuvwxyz');
    }
}

urlencode() belongs in your code to properly encode query values in URLs. PHP's $_GET will then have the correct value to feed back into rotUrl().

Your app must have proper query string encoding and HTML attribute escaping of the encoded URL. Otherwise you'll have vulnerabilities, not just problems transmitting values.

We must save this conversation here as a future usage note tho.
So for safe usage

urlencode(rotUrl($url)) // to encode 
rotUrl(urldecode($url)) // to decode 

http://codepad.org/rz0faInK