Am 10.03.2011 21:09, schrieb mos:
> At 12:37 PM 3/10/2011, Claudio Nanni wrote:
>
>> Hi there,
>> Yes I think its actually a pattern a few hundreds million sites solved already
> :)
>
> Great. How did they do it? :)
>
>> And any way to encrypt (scramble)the http get string would do. But my question is
> , are you afraid of sql injection?
>
> I'm using parameterized queries and validating user input so SQL injection shouldn't
> be a problem.
> I just don't want to give the hacker any more useful information than necessary.
> Let's say I have a Document_Id
> column and the url is
> www.mydocuments.com/public?docid=4
>
> to retrieve document_id=4, I don't want someone to write a program to retrieve all of
> my public documents and
> download them. I want them to go through the user interface.
> The private documents of course need a user name and password to access them, but
> public documents do not require
> passwords.
>
> So hashing or encrypting the id column will make the id's non-contiguous and
> impossible to guess.
sorry but this is foolish
leave the id in peace and add a colum with some checksum
Attachment: [application/pgp-signature] OpenPGP digital signature signature.asc
