From: Reindl Harald
Date: March 10 2011 6:45pm
Subject: Re: How to protect primary key value on a web page?
List-Archive: http://lists.mysql.com/mysql/224601
Message-Id: <4D791C47.3040903@thelounge.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig00842967BF3D67D3C18BAE77"

--------------enig00842967BF3D67D3C18BAE77
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable


Am 10.03.2011 18:10, schrieb mos:

> I am building a web application that uses MySQL 5.5 with Innodb tables =
and I don't want the user to see the actual
> primary key value on the web page. The primary key could be the cust_id=
, bill_id etc and is usually auto increment.
> This primary key can appear in the url and will be used to pull up a re=
cord and display it on the web page.

> So I need some efficient way of 'cloaking' the real primary key so a ha=
cker won't try to generate random values to
> access info he shouldn't have access to. How do most web sites handle t=
his?

the most sites will handle this by checking permissions
security by obscurity is simple crap

if i have access to record 738 and get z39 by changing the url
your application is simply broken


--------------enig00842967BF3D67D3C18BAE77
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk15HEcACgkQhmBjz394AnmRPgCeNLip2yoHUvP09r8vEW4HR/ZN
EVwAnRZQLb/XjMco1cfXwB20+bH4xRq0
=TkNH
-----END PGP SIGNATURE-----

--------------enig00842967BF3D67D3C18BAE77--