Jump to content
Larry Ullman's Book Forums

Hiding Parameters Passed In Url Route


CodyMTX
 Share

Recommended Posts

I had one quick question.  Do you think it is a secure approach to expose the primary key in the URL? 


 

I think it presents to much information to someone interested in data-mining your site.  They could easily tell how many objects you have or how many users you have, etc.

 

Is there a way to use a GUID or something that would hide it, or is it worth going down that route?​

 

If there is, it may make for a good short entry in the Yii Book.  I read the book twice and don't recall seeing any information about that.  Thanks!!! :D

Link to comment
Share on other sites

Good question! My basic rule is determined by what kind of damaged can be caused by having a publicly-known (and editable) primary key. So pages on a blog can show the PK, as can links in an e-commerce site. A user ID is a debatable situation, depending upon what showing /user/ID does. 

Link to comment
Share on other sites

Use the username string value instead of their id, which is of course shady. If you do that though you will have to edit your routes in your main/config.php, it can also be a pain as all your other user methods have to be listed there. So if someone has a user name the same as one of your controller method this function wouldn't run. But i guess you could just restrict those particular usernames on the user creation page.

  • Upvote 1
Link to comment
Share on other sites

Thank you Larry and Edward!  I appreciate the responses!  I suppose there is no immediate damage done for them knowing the primary keys.  I just didn't want to have someone use a program to systematically attack the site by scrolling through numbers associated with users, posts, etc.  I hope that makes sense.  I was looking at using a GUID, but it may possibly have performance issues as well as making it a pain to code with.  Thanks again!

Link to comment
Share on other sites

 Share

×
×
  • Create New...