On Dec 28, 2010, at 04:39, Jeremy Burns | Class Outfit wrote: > I *think* the main benefit is obfuscation - if you want to hide the fact that > I am only the third user, for example. It also makes it more difficult to > guess the id belonging to another row in the table (for example, a table that > stores company records).
That's what I would think as well. Take for example Craig's List. Each ad has an auto-increment id, which appears in the email address that you use to respond to the ad, e.g. "sale-12345678 at craigslist dot org". I imagine they were getting a lot of spam under that system, since if you can see what one ad's id is, you can guess others. So now they insert a hash of some kind in addition to that id, e.g. "sale-m4m92-12345678 at craigslist dot org". Now even if you know the sequence of auto-increment ids they use, you can't guess the hash. If they were redesigning the system today, maybe they would omit the auto-increment id altogether and use only a hash (though it would have to be much longer than 5 characters to avoid collisions). Obfuscation shouldn't be your only security measure, but it can be a helpful additional step in some situations. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
