List:General Discussion« Previous MessageNext Message »
From:Shawn Green (MySQL) Date:March 10 2011 9:22pm
Subject:Re: How to protect primary key value on a web page?
View as plain text  
On 3/10/2011 12:10, mos wrote:
> I want to bounce some ideas off of MySQL developers that use it for web
> development. Maybe I'm a little paranoid, but when dealing with the
> Internet, I want to make my web app as secure as possible. I'm hoping
> some of you can offer me some ideas in this respect.
>
> I am building a web application that uses MySQL 5.5 with Innodb tables
> and I don't want the user to see the actual primary key value on the web
> page. The primary key could be the cust_id, bill_id etc and is usually
> auto increment. This primary key can appear in the url and will be used
> to pull up a record and display it on the web page.
> ...

You could follow some of the basic security designs already in use.

1) use https://

2) Don't worry about the URLs, worry about authenticating the requesting 
user to the session to the data. Only allow the users access to what 
they are supposed to have access to in the quantities they are allowed 
to view it.

3) You could include the session identifier as part of the URL. Once the 
session expires, that URL is now dead.

One of your worries was a BOT coming along and scraping off all of your 
public files. That's pretty easy to catch if you actively monitor usage 
patterns. Another way of doing that is to have two unique identifiers 
for each data object, one is the sequential private number, the other is 
the non-incremental (random or hash) value that you can expose via URL. 
  It's not really securing anything but it is making it harder for 
random successes. If they fail to randomly find a valid value enough 
times, you lock out that IP address.


However this really isn't a great topic for a database list as most of 
solution to your problems reside in how you design your application.

Yours,
-- 
Shawn Green
MySQL Principal Technical Support Engineer
Oracle USA, Inc. - Hardware and Software, Engineered to Work Together.
Office: Blountville, TN
Thread
How to protect primary key value on a web page?mos10 Mar
  • Re: How to protect primary key value on a web page?Claudio Nanni10 Mar
    • Re: How to protect primary key value on a web page?mos10 Mar
      • Re: How to protect primary key value on a web page?Reindl Harald10 Mar
        • Re: How to protect primary key value on a web page?Claudio Nanni10 Mar
          • Re: How to protect primary key value on a web page?Reindl Harald10 Mar
      • Re: How to protect primary key value on a web page?Claudio Nanni10 Mar
      • Re: How to protect primary key value on a web page?Mark Kelly10 Mar
  • Re: How to protect primary key value on a web page?Reindl Harald10 Mar
    • Re: How to protect primary key value on a web page?Mike Diehl10 Mar
  • Re: How to protect primary key value on a web page?MySQL)10 Mar