On Mar 10, 2011 9:23 PM, "Reindl Harald" <h.reindl@stripped> wrote:
> Am 10.03.2011 21:09, schrieb mos:
> > At 12:37 PM 3/10/2011, Claudio Nanni wrote:
> >> Hi there,
> >> Yes I think its actually a pattern a few hundreds million sites solved
> > Great. How did they do it? :)
> >> And any way to encrypt (scramble)the http get string would do. But my
question is , are you afraid of sql injection?
> > I'm using parameterized queries and validating user input so SQL
injection shouldn't be a problem.
> > I just don't want to give the hacker any more useful information than
necessary. Let's say I have a Document_Id
> > column and the url is
> > www.mydocuments.com/public?docid=4
> > to retrieve document_id=4, I don't want someone to write a program to
retrieve all of my public documents and
> > download them. I want them to go through the user interface.
> > The private documents of course need a user name and password to access
them, but public documents do not require
> > passwords.
> > So hashing or encrypting the id column will make the id's non-contiguous
and impossible to guess.
> sorry but this is foolish
> leave the id in peace and add a colum with some checksum
Wordpress guys are also foolish?
They do not even encrypt.
And what's the difference between passing in a GET an encrypted Id or
passing another column with a checksum deriving from the Id?