konfused Posted July 23, 2013 Share Posted July 23, 2013 In an e-commerce database driven website, would there be security problem using the following scenario?In an order processing table, use the order_id to create a customer's order number as the PRIMARY key with auto increment, then notify the customer so that he knows the order number.In a customer registration table, use the customer_id to create a customer's account number as the PRIMARY key with auto increment, then notify the customer so the he knows his account number. In both cases the number would be set to begin at say 1,000 because numbers such as 1, 2, 3 etc would betray the fact that the online shop was only established very recently., like yesterday. Link to comment Share on other sites More sharing options...
Edward Posted July 23, 2013 Share Posted July 23, 2013 It would be fine to let a customer know his order number that way its easy for you to reference. But the customer doesn't need to know his account number which would be the primary key, that could cause security concerns. The customer and you can reference his account just by refering to his email which would be unique. Just think of eBay, you can't go and add someone's ID to a url to bring up their profile page, you may be able to use their username to do it but eBay and other sites i have noticed like to hide the actual ID's. Ive seen in the past some security breaches on software where people knew that the Admin id was 0 and then they would use that to their hacking advantage. 1 Link to comment Share on other sites More sharing options...
Larry Posted July 24, 2013 Share Posted July 24, 2013 Yeah, I agree with Edward here. And you'd make sure that only the customer of that order could view any order. Link to comment Share on other sites More sharing options...
Recommended Posts