Well said Dave!
regards
Andrew Scott
Senior Cold Fusion Application Developer
-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: 17 October 2000 11:53
To: CF-Talk
Cc: '[EMAIL PROTECTED]'
Subject: RE: SQL Server -> MS Access "Autonumber"?
> That's all I was saying. . .they have their uses, but don't
> use them where the data could be at risk. For instance as a
> hidden form field with an OrderID for a shopping cart. Any
> time there is sensitive data accessible to the user via
> URL, cookie, view source, etc -- autonumbers shouldn't be
> used. As far as things like lists of products, suppliers,
> states, names, whatever -- it's a great method for creating
> a primary key.
I'd argue that this isn't really a function of the database design - that
is, you shouldn't be using UUIDs within the database simply to obfuscate
code within your application. If the database and application are properly
designed, a user will only be able to see what they should be allowed to see
- if you specify a primary key within a URL, then the script that receives
that primary key shouldn't show the user the corresponding data unless that
user is allowed to see that data. Using UUIDs for this is just security
through obscurity.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
