I've spent a good number of hours trying to understand best strategy for using keys, ids or keynames in URLs. I've read all the docs & posts so hopefully i've not overlooked something obvious. For context what led me down this path is wanting to use email address as key_name for doing get() by name.
Anyway from what I understand the following is true(if not please correct me): - if one assigns a key_name the numeric id is not created. There is no way to create numeric id, so it's one or the other. In addition, numeric IDs are semi-sequential. - if one assigns a key_name then there is no way to use db.key().id(). This may be a 'DUH' but I was thinking this would work somehow as it would be an answer to my situation as explained below(by creating a non-sequential numeric id). I understand the string encoded entity key is "web safe" however it can easily be decoded to reveal 'sensative' data (i.e. if key_name is user email address and entity key is used for urls, one can easily obtain the email address). I tested this on a few app engine based sites in the wild and was able to reverse out kind(), name(), id(). Certainly some of this is useless but the name() could be a hole depending on what's in there. Personally I don't like the idea of kind () being exposed but that's probably me just being paranoid. So given all this I understand how id() is secure from the standpoint no potential for revealing potentially sensitive data. However, since it's relatively sequential, what is the best strategy to prevent the bozo's in the basement from doing an ID attack and just running through the table? I've seen mentions of UUID and others but wonder if that's worth the extra cost (i.e. development, maintenance, CPU, etc.). In terms of the original question, my plan is to create a model with email as key_name and ReferenceProperty to User module. Then in URL use the id() of the User model. Again, the goal is to get the user model using get vs. doing a query. Any suggestions, help, comment is greatly welcome. Thanks, Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
