oops, not quite. The default appengine keys are essentially a couple of values, combined and base64-encoded. So the string of letters and numbers you see might actually be ["Customer", 123] when decoded. For this reason, they're just as guessable as keys you make yourself.
If guessability is a problem, you should create keys based on strings you create (like an unguessable uuid, as Andrew suggested): import uuid safe_cust = Customer(key_name=str(uuid.uuid4()), name="Joe", ...) Those keys might get pretty long, so if you want to use them in URLs a UUID might not be suitable. Asking people to choose a username (or some other unique keyword) is one solution -- I remember a talk by Joshua Schachter of del.icio.us where he said he based urls on usernames specifically to prevent crawling. cheers Michael On Feb 12, 4:28 pm, warreninaustintexas <[email protected]> wrote: > Okay. Thanks for the response. So my interpretation of the App > Engine documentation is this: > > "If you use the default App Engine key values, they are safe to > include in URLs. If you use your own key generation algorithm, you > will have to either (1) safeguard your app from people guessing keys, > or (2) be happy to be crawled." > > Am I interpreting it correctly? > > On Feb 12, 8:48 am, "Michael O'Brien" <[email protected]> wrote: > > > Guessability could be a problem if guessing a URL might allow someone > > access to something that should be hidden, or if it would allow > > someone to trawl through your entire datastore for some reason (e.g. > > to crawl it, costing you resources). > > > If you secure your pages anyway, or if you're happy to be crawled, > > guessability might not be an issue. > > > cheers > > Michael > > > On Feb 12, 2:32 pm, Andrew Badera <[email protected]> wrote: > > > > Avoid sequential keys, use something like a GUID or UUID, nonce values, > > > etc. > > > etc. > > > > Thanks- > > > - Andy Badera > > > - [email protected] > > > - (518) 641-1280 > > > - Tech Valley Code Camp 2009.1:http://www.techvalleycodecamp.com/ > > > - Google me:http://www.google.com/search?q=andrew+badera > > > > On Thu, Feb 12, 2009 at 9:27 AM, warreninaustintexas < > > > > [email protected]> wrote: > > > > > I'm using entity keys in the URL of my app. According to the App > > > > Engine documentation: "While string-encoded key values are safe to > > > > include in URLs, an application should only do so if key guessability > > > > is not an issue." > > > > >http://code.google.com/appengine/docs/python/datastore/keyclass.html#Key > > > > > How exactly do I know if guessability is an issue with my app? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
