List:General Discussion« Previous MessageNext Message »
From:Mike Diehl Date:March 10 2011 7:02pm
Subject:Re: How to protect primary key value on a web page?
View as plain text  
On Thursday 10 March 2011 11:45:27 am Reindl Harald wrote:
> Am 10.03.2011 18:10, schrieb mos:
> > I am building a web application that uses MySQL 5.5 with Innodb tables
> > and I don't want the user to see the actual primary key value on the web
> > page. The primary key could be the cust_id, bill_id etc and is usually
> > auto increment. This primary key can appear in the url and will be used
> > to pull up a record and display it on the web page.
> > 
> > So I need some efficient way of 'cloaking' the real primary key so a
> > hacker won't try to generate random values to access info he shouldn't
> > have access to. How do most web sites handle this?
> 
> the most sites will handle this by checking permissions
> security by obscurity is simple crap
> 
> if i have access to record 738 and get z39 by changing the url
> your application is simply broken

I think the original poster knows/suspects his application is broken and thats 
why he's asking.

I think he has a case where he allows a user to edit their own records and 
doesn't have the ability to require a username/password from them, 

I have a similar situation.  What I do is store a random number in their 
record, which I also include in the url.  Access to the record is gained by 
the combination of id, and tag.  Just a thought.


-- 

Take care and have fun,
Mike Diehl.
Thread
How to protect primary key value on a web page?mos10 Mar
  • Re: How to protect primary key value on a web page?Claudio Nanni10 Mar
    • Re: How to protect primary key value on a web page?mos10 Mar
      • Re: How to protect primary key value on a web page?Reindl Harald10 Mar
        • Re: How to protect primary key value on a web page?Claudio Nanni10 Mar
          • Re: How to protect primary key value on a web page?Reindl Harald10 Mar
      • Re: How to protect primary key value on a web page?Claudio Nanni10 Mar
      • Re: How to protect primary key value on a web page?Mark Kelly10 Mar
  • Re: How to protect primary key value on a web page?Reindl Harald10 Mar
    • Re: How to protect primary key value on a web page?Mike Diehl10 Mar
  • Re: How to protect primary key value on a web page?MySQL)10 Mar