On 3/10/2011 12:10, mos wrote:
> I want to bounce some ideas off of MySQL developers that use it for web
> development. Maybe I'm a little paranoid, but when dealing with the
> Internet, I want to make my web app as secure as possible. I'm hoping
> some of you can offer me some ideas in this respect.
> I am building a web application that uses MySQL 5.5 with Innodb tables
> and I don't want the user to see the actual primary key value on the web
> page. The primary key could be the cust_id, bill_id etc and is usually
> auto increment. This primary key can appear in the url and will be used
> to pull up a record and display it on the web page.
You could follow some of the basic security designs already in use.
1) use https://
2) Don't worry about the URLs, worry about authenticating the requesting
user to the session to the data. Only allow the users access to what
they are supposed to have access to in the quantities they are allowed
to view it.
3) You could include the session identifier as part of the URL. Once the
session expires, that URL is now dead.
One of your worries was a BOT coming along and scraping off all of your
public files. That's pretty easy to catch if you actively monitor usage
patterns. Another way of doing that is to have two unique identifiers
for each data object, one is the sequential private number, the other is
the non-incremental (random or hash) value that you can expose via URL.
It's not really securing anything but it is making it harder for
random successes. If they fail to randomly find a valid value enough
times, you lock out that IP address.
However this really isn't a great topic for a database list as most of
solution to your problems reside in how you design your application.
MySQL Principal Technical Support Engineer
Oracle USA, Inc. - Hardware and Software, Engineered to Work Together.
Office: Blountville, TN