CodyMTX Posted July 7, 2014 Share Posted July 7, 2014 I had one quick question. Do you think it is a secure approach to expose the primary key in the URL? (Example: http://www.example.com/user/54). I think it presents to much information to someone interested in data-mining your site. They could easily tell how many objects you have or how many users you have, etc. Is there a way to use a GUID or something that would hide it, or is it worth going down that route? If there is, it may make for a good short entry in the Yii Book. I read the book twice and don't recall seeing any information about that. Thanks!!! Link to comment Share on other sites More sharing options...
Larry Posted July 7, 2014 Share Posted July 7, 2014 Good question! My basic rule is determined by what kind of damaged can be caused by having a publicly-known (and editable) primary key. So pages on a blog can show the PK, as can links in an e-commerce site. A user ID is a debatable situation, depending upon what showing /user/ID does. Link to comment Share on other sites More sharing options...
Edward Posted July 8, 2014 Share Posted July 8, 2014 Use the username string value instead of their id, which is of course shady. If you do that though you will have to edit your routes in your main/config.php, it can also be a pain as all your other user methods have to be listed there. So if someone has a user name the same as one of your controller method this function wouldn't run. But i guess you could just restrict those particular usernames on the user creation page. 1 Link to comment Share on other sites More sharing options...
CodyMTX Posted July 10, 2014 Author Share Posted July 10, 2014 Thank you Larry and Edward! I appreciate the responses! I suppose there is no immediate damage done for them knowing the primary keys. I just didn't want to have someone use a program to systematically attack the site by scrolling through numbers associated with users, posts, etc. I hope that makes sense. I was looking at using a GUID, but it may possibly have performance issues as well as making it a pain to code with. Thanks again! Link to comment Share on other sites More sharing options...
Recommended Posts