On Thursday 10 March 2011 11:45:27 am Reindl Harald wrote: > Am 10.03.2011 18:10, schrieb mos: > > I am building a web application that uses MySQL 5.5 with Innodb tables > > and I don't want the user to see the actual primary key value on the web > > page. The primary key could be the cust_id, bill_id etc and is usually > > auto increment. This primary key can appear in the url and will be used > > to pull up a record and display it on the web page. > > > > So I need some efficient way of 'cloaking' the real primary key so a > > hacker won't try to generate random values to access info he shouldn't > > have access to. How do most web sites handle this? > > the most sites will handle this by checking permissions > security by obscurity is simple crap > > if i have access to record 738 and get z39 by changing the url > your application is simply broken
I think the original poster knows/suspects his application is broken and thats why he's asking. I think he has a case where he allows a user to edit their own records and doesn't have the ability to require a username/password from them, I have a similar situation. What I do is store a random number in their record, which I also include in the url. Access to the record is gained by the combination of id, and tag. Just a thought. -- Take care and have fun, Mike Diehl. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
