That's funny because passing clear ids in url is quite common in classic webs written in PHP. Practically all PHP frameworks/CMS (including the big ones like Joomla or MODx) do that so I never thought of it as a possible vulnerability. Or is there something more I should worry about in this particular situation (Python, AppEngine...)?
On 27 led, 19:34, Jeff Schwartz <[email protected]> wrote: > IMHO passing clear ids as text in urls is not a good idea because anything a > hacker can gleam about data is opening up a can of worms that they could use > to try to exploit your site and even corrupt your data. I'd look to encrypt > the id or at least apply a hash such as base64 at a a minimum to obfuscate > the actual id. While base64 wont deter a committed hacker it will deter many > malcontents who will move on to easier pickings. Best if you can, generate > an encrypted id on the server and pass that back via the url from the > client. > > > > On Thu, Jan 27, 2011 at 1:06 PM, tobik <[email protected]> wrote: > > Great, thanks. > > > On 27 led, 16:06, Geoffrey Spear <[email protected]> wrote: > > > On Thursday, January 27, 2011 2:52:48 AM UTC-5, tobik wrote: > > > > > Thank you! That's what I wanted to know. > > > > > So basically passing Keys in urls is not a good idea, but using pure > > > > IDs and Model.get_by_id() should be secure enough. Or am I wrong? I > > > > tried to get access to data across namespaces but it ended up with > > > > request error. So it worked as expected. > > > > Yes; IDs are only unique within a namespace, entity group, and kind, so > > > passing an ID from one namespace to an instance using a different > > namespace > > > will either get you a different entity from the calling instance's > > namespace > > > or nothing, never the entity in the original namespace. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<google-appengine%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/google-appengine?hl=en. > > -- > *Jeff Schwartz* -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
