From: Reindl Harald Date: March 10 2011 8:23pm Subject: Re: How to protect primary key value on a web page? List-Archive: http://lists.mysql.com/mysql/224608 Message-Id: <4D793342.1000907@thelounge.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4C722937B96FF8D678DC2B66" --------------enig4C722937B96FF8D678DC2B66 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 10.03.2011 21:09, schrieb mos: > At 12:37 PM 3/10/2011, Claudio Nanni wrote: >=20 >> Hi there, >> Yes I think its actually a pattern a few hundreds million sites solved= already :) >=20 > Great. How did they do it? :) >=20 >> And any way to encrypt (scramble)the http get string would do. But my = question is , are you afraid of sql injection? >=20 > I'm using parameterized queries and validating user input so SQL inject= ion shouldn't be a problem. > I just don't want to give the hacker any more useful information than n= ecessary. Let's say I have a Document_Id > column and the url is > www.mydocuments.com/public?docid=3D4 >=20 > to retrieve document_id=3D4, I don't want someone to write a program to= retrieve all of my public documents and > download them. I want them to go through the user interface. > The private documents of course need a user name and password to access= them, but public documents do not require > passwords. >=20 > So hashing or encrypting the id column will make the id's non-contiguou= s and impossible to guess. sorry but this is foolish leave the id in peace and add a colum with some checksum --------------enig4C722937B96FF8D678DC2B66 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk15M0IACgkQhmBjz394AnnpRQCeLK8niGSLMHBLstwqX8kTFStA ld0Ani5hEi67OCMJyvwu2zi3Gp8wtvji =xbOP -----END PGP SIGNATURE----- --------------enig4C722937B96FF8D678DC2B66--