On Thursday 10 March 2011 11:45:27 am Reindl Harald wrote:
> Am 10.03.2011 18:10, schrieb mos:
> > I am building a web application that uses MySQL 5.5 with Innodb tables
> > and I don't want the user to see the actual primary key value on the web
> > page. The primary key could be the cust_id, bill_id etc and is usually
> > auto increment. This primary key can appear in the url and will be used
> > to pull up a record and display it on the web page.
> >
> > So I need some efficient way of 'cloaking' the real primary key so a
> > hacker won't try to generate random values to access info he shouldn't
> > have access to. How do most web sites handle this?
>
> the most sites will handle this by checking permissions
> security by obscurity is simple crap
>
> if i have access to record 738 and get z39 by changing the url
> your application is simply broken
I think the original poster knows/suspects his application is broken and thats
why he's asking.
I think he has a case where he allows a user to edit their own records and
doesn't have the ability to require a username/password from them,
I have a similar situation. What I do is store a random number in their
record, which I also include in the url. Access to the record is gained by
the combination of id, and tag. Just a thought.
--
Take care and have fun,
Mike Diehl.
